Question
I currently have an issue with Firefox where it receives a cookie with httponly flag. However when a subsequent response is sent to the server the request does not contain any httponly flag (which may be correct behaviour), however when the response comes back down it returns the cookie however it does not have the httponly flag attached, as I assume it is returning it in the same state it got it.
So is this correct behaviour? should I be manually updating the httponly state of the cookie on the server for each request? or should the httponly state be persisted between calls? I am sure there may be some different behaviour per browser but just assume modern mainstream browsers.
Solution
A few moments after sending this I found:
Understanding the intended behaviour of HTTPOnly flag
which indicates that this is correct behaviour and the server has to continually append the httponly flag. Seems a bit wacky, but hey as long as I know what the intended behaviour is.
https://stackoverflow.com/questions/15122308
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian