Why are HTTPOnly Cookies not being set correctly in IE9?

StackOverflow https://stackoverflow.com/questions/23201183

Question

I have setup my ColdFusion application to set HTTPOnly cookies using the code below (from http://www.petefreitag.com/item/764.cfm):

<cfcomponent output="false">
    <cfscript>
        THIS.Name = "MyCFApp";
        THIS.SessionManagement = true;
        THIS.SetClientCookies = false;
        THIS.SessionTimeout = CreateTimeSpan(0, 3, 0, 0);
        THIS.ApplicationTimeout = CreateTimeSpan(0, 8, 0, 0);
    </cfscript>

    <cffunction name="onSessionStart" returntype="Void" output="false">
        <cfheader
            name="Set-Cookie"
            value="CFID=#SESSION.CFID#;path=/;HTTPOnly;#APPLICATION.SECURE_COOKIES#;" />
        <cfheader
            name="Set-Cookie"
            value="CFTOKEN=#SESSION.CFTOKEN#;path=/;HTTPOnly;#APPLICATION.SECURE_COOKIES#;" />

        <cfreturn />
    </cffunction>
</cfcomponent>

(FYI, APPLICATION.SECURE_COOKIES allows me to set an application-specific value for secure cookies - production is SSL, so I can do secure, but my local dev environment is not SSL, so this is empty.)

When I clear my cookies/session in Google Chrome, and reload the page, I can see the Set-Cookie response headers in the debugger:

Google Chrome Debugger - Headers

When I inspect the cookies in the debugger, they are flagged as HTTPOnly:

Google Chrome Debugger - Cookies

When I do the same in IE9, I can see the Set-Cookie headers in the debugger:

IE9 - Headers

But, for the same request, the cookies are visible in the debugger:

IE9 - Cookies

When I reload in IE9, the cookies are visible, but not flagged as HTTPOnly:

enter image description here

What is going on here with IE9? How can I resolve this to properly set HTTPOnly Cookies?

Was it helpful?

Solution

promoted from the comments

I believe there was an issue with the developer tools in IE8 that would not display cookies with the HTTPOnly flag. This may still be an issue with IE9 but I have not been able to confirm.

When I reload in IE9, the cookies are visible, but not flagged as HTTPOnly:

enter image description here

The cookies that you are seeing in the developer tools after reloading IE9 are being sent by your browser to the server. Notice the Sent in the Direction column of the screenshot. This is also why it does not show the HTTPOnly flag as being sent. It has no meaning for the server. The Direction column will show Received for cookies sent from the server.

how can I confirm that my server is setting HTTPOnly cookies in IE?

enter image description here

If you look at the screenshot that you shared from IE9 showing the Response Headers, at the end of both Set-Cookie lines you can see the HTTPOnly flag. That shows that the server sent it to the browser. It is then up to the browser to respect (or not) that flag. I'm afraid you are dealing with a "working as designed" issue with the developer tools on an old version of Internet Explorer. NOTE - this is only an issue with the developer tools, not the browser's support of the HTTPOnly flag.

One easy way to check if the browser is respecting your HTTPOnly flag is to type the following in the address bar.

javascript:alert(document.cookie)

This will display a window with all of the cookies currently available to javascript. Any cookies with the HTTPOnly flag should NOT be displayed.


Here is one reference that I found - View HttpOnly session cookies in Internet Explorer

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top