[ic] HttpOnly cookie flag

Mike Heins mike at perusion.com
Wed Feb 2 16:38:30 UTC 2011

Quoting Bill Carr (bill at bottlenose-wine.com):
> Hi ICers,
> Is there any way in Interchange to set the HttpOnly flag on session cookies?

Not at the moment. We don't support setting flags.

> After installing mod_security on my Apache web servers I have started
> getting warnings about this flag not being set on session cookies.
> Microsoft introduced the HttpOnly flag and it is now accepted by all
> major browsers. When set the cookie data is not accessible by
> javascript for example via document.cookie. This can help mitigate XSS
> attacks.

Looks like it would be a good thing to do in some cases. However, if
as with more and more catalogs, you use Web 2.0 features that call
the database via IC, then you will potentially break those functions. 

Seems like a one-line patch would do it:

--- /usr/local/interchange/lib/Vend/Server.pm	Mon Nov  8 00:58:16 2010
+++ /tmp/Server.pm	Wed Feb  2 10:37:08 2011
@@ -549,6 +549,7 @@
 			$out .= $expstring;
 		$out .= '; secure' if $secure;
+		$out .= '; HttpOnly' if $::Pragma->{set_httponly};
 		$out .= "\r\n";
 	return $out;


	Pragma set_httponly

in catalog.cfg and you would be good to go.

Mike Heins
Perusion -- Expert Interchange Consulting    http://www.perusion.com/
phone +1.765.328.4479  <mike at perusion.com>

There is something fascinating about science. One gets such wholesale
returns of conjecture out of such a trifling investment of fact.
-- Mark Twain

More information about the interchange-users mailing list