Re: Cannot get httponly to work

Everything works as expected with the exception of the httponly flag which is not being set. I have used Firefox and Chrome to view the headers but neither show as having the httponly flag set.

How are you checking to see if the flag is set?

Tools + Options + Privacy + Show Cookies?

Yeah, I can confirm that widget doesn't indicate whether or not httponly is set, but the header is sent

$ perl -MCGI::Cookie -le " print CGI::Cookie->new( qw/ -name mycookie 
+/, -value => [qw/ foo bar /], qw/ -secure 1 -httponly 1 -expires +3M 
+/ ) "
mycookie=foo&bar; path=/; expires=Thu, 10-May-2012 07:54:06 GMT; secur
+e; HttpOnly
[download]

$ lwp-request -USEd  http://localhost/cgi-bin/httponly.cgi
GET http://localhost/cgi-bin/httponly.cgi
User-Agent: lwp-request/6.03 libwww-perl/6.03

200 OK
Connection: close
Date: Fri, 10 Feb 2012 07:59:39 GMT
Server: Apache/2.0.54 (Win32) mod_ssl/2.0.54 OpenSSL/0.9.7g PHP/4.3.11
+ mod_perl/2.0.1 Perl/v5.8.9
Content-Type: text/html; charset=UTF-8
Client-Date: Fri, 10 Feb 2012 07:59:42 GMT
Client-Peer: 127.0.0.1:80
Client-Response-Num: 1
Client-Transfer-Encoding: chunked
Set-Cookie: mycookie=foo&bar; path=/; expires=Thu, 10-May-2012 07:59:4
+1 GMT; secure; HttpOnly
Title: Untitled Document
[download]

From the Web Console ( Ctrl+Shift+K ) I can confirm that cookies set with httponly don't show up in document.cookie

So yeah, it works

Comment on Re: Cannot get httponly to work Select or Download Code

Replies are listed 'Best First'.
Re^2: Cannot get httponly to work by SquirrelHead (Initiate) on Feb 10, 2012 at 08:48 UTC
Hi there Thanks for taking the time to reply to this, it's much appreciated. I have run the command you entered from the command line but I get a different result to what you are seeing on screen `$ perl -MCGI::Cookie -le " print CGI::Cookie->new( qw/ -name mycookie +/, -value => [qw/ foo bar /], qw/ -secure 1 -httponly 1 -expires +3M +/ ) " mycookie=foo&bar; path=/; expires=Thu, 10-May-2012 08:38:56 GMT; secur +e` [download] As there is no mention of the httponly flag being set do you think this is an issue with our Apache install or version rather than Perl? Up until now I have been viewing the cookie information through the Live Headers add-in in Firefox and by using the Tools, Developer Tools, Resources, Cookies menu options in Chrome. Thanks again for the help here. Cheers SquirrelHead	[reply] [d/l]
Re^3: Cannot get httponly to work by Anonymous Monk on Feb 10, 2012 at 09:07 UTC
Upgrade CGI $ pmvers CGI CGI::Cookie CGI: 3.59 CGI::Cookie: 1.30 $ perl -MCGI -le " print CGI->cookie( qw/ -name mycookie /, -value => +[qw/ foo bar /], qw/ -secure 1 -httponly 1 -expires +3M / ) " mycookie=foo&bar; path=/; expires=Thu, 10-May-2012 09:12:33 GMT; secur +e; HttpOnly $ $ perl -MCGI -d:Modlist -le " print CGI->cookie( qw/ -name mycookie /, + -value => [qw/ foo bar /], qw/ -secure 1 -httponly 1 -expires +3M / +) " mycookie=foo&bar; path=/; expires=Thu, 10-May-2012 09:12:39 GMT; secur +e; HttpOnly CGI 3.59 CGI::Cookie 1.30 CGI::Util 3.53 Carp 1.23 Exporter 5.66 constant 1.21 overload 1.13 vars 1.02 warnings 1.12 warnings::register 1.02 [download]	[reply] [d/l]
Re^4: Cannot get httponly to work by SquirrelHead (Initiate) on Feb 10, 2012 at 09:29 UTC
Hi again I have 3.15 and 1.26. Time for an upgrade I think. I'll post results after update. Thanks SquirrelHead	[reply]
Re^5: Cannot get httponly to work by SquirrelHead (Initiate) on Feb 10, 2012 at 14:28 UTC


Perl-Sensitive Sunglasses
	PerlMonks