in reply to Cannot get httponly to work

Everything works as expected with the exception of the httponly flag which is not being set. I have used Firefox and Chrome to view the headers but neither show as having the httponly flag set.

How are you checking to see if the flag is set?

Tools + Options + Privacy + Show Cookies?

Yeah, I can confirm that widget doesn't indicate whether or not httponly is set, but the header is sent 

$ perl -MCGI::Cookie -le " print CGI::Cookie->new( qw/ -name mycookie 
+/, -value => [qw/ foo bar /], qw/ -secure 1 -httponly 1 -expires +3M 
+/ ) "
mycookie=foo&bar; path=/; expires=Thu, 10-May-2012 07:54:06 GMT; secur
+e; HttpOnly

[download]

$ lwp-request -USEd  http://localhost/cgi-bin/httponly.cgi
GET http://localhost/cgi-bin/httponly.cgi
User-Agent: lwp-request/6.03 libwww-perl/6.03

200 OK
Connection: close
Date: Fri, 10 Feb 2012 07:59:39 GMT
Server: Apache/2.0.54 (Win32) mod_ssl/2.0.54 OpenSSL/0.9.7g PHP/4.3.11
+ mod_perl/2.0.1 Perl/v5.8.9
Content-Type: text/html; charset=UTF-8
Client-Date: Fri, 10 Feb 2012 07:59:42 GMT
Client-Peer: 127.0.0.1:80
Client-Response-Num: 1
Client-Transfer-Encoding: chunked
Set-Cookie: mycookie=foo&bar; path=/; expires=Thu, 10-May-2012 07:59:4
+1 GMT; secure; HttpOnly
Title: Untitled Document

[download]

From the Web Console ( Ctrl+Shift+K ) I can confirm that cookies set with httponly don't show up in document.cookie

So yeah, it works

Replies are listed 'Best First'.
Re^2: Cannot get httponly to work
by SquirrelHead (Novice) on Feb 10, 2012 at 08:48 UTC

    Hi there

    Thanks for taking the time to reply to this, it's much appreciated.

    I have run the command you entered from the command line but I get a different result to what you are seeing on screen

    $ perl -MCGI::Cookie -le " print CGI::Cookie->new( qw/ -name mycookie 
+/, -value => [qw/ foo bar /], qw/ -secure 1 -httponly 1 -expires +3M 
+/ ) "
mycookie=foo&bar; path=/; expires=Thu, 10-May-2012 08:38:56 GMT; secur
+e

    [download]

    As there is no mention of the httponly flag being set do you think this is an issue with our Apache install or version rather than Perl?

    Up until now I have been viewing the cookie information through the Live Headers add-in in Firefox and by using the Tools, Developer Tools, Resources, Cookies menu options in Chrome.

    Thanks again for the help here.

    Cheers

    SquirrelHead

[reply]
[d/l]

      Upgrade CGI 

      $ pmvers CGI CGI::Cookie
CGI: 3.59
CGI::Cookie: 1.30

$ perl -MCGI -le " print CGI->cookie( qw/ -name mycookie /, -value => 
+[qw/ foo bar /], qw/ -secure 1 -httponly 1 -expires +3M / ) "
mycookie=foo&bar; path=/; expires=Thu, 10-May-2012 09:12:33 GMT; secur
+e; HttpOnly

$
$ perl -MCGI -d:Modlist -le " print CGI->cookie( qw/ -name mycookie /,
+ -value => [qw/ foo bar /], qw/ -secure 1 -httponly 1 -expires +3M / 
+) "
mycookie=foo&bar; path=/; expires=Thu, 10-May-2012 09:12:39 GMT; secur
+e; HttpOnly
CGI                    3.59
CGI::Cookie            1.30
CGI::Util              3.53
Carp                   1.23
Exporter               5.66
constant               1.21
overload               1.13
vars                   1.02
warnings               1.12
warnings::register     1.02

      [download]
[reply]
[d/l]

        Hi again

        I have 3.15 and 1.26. Time for an upgrade I think.

        I'll post results after update.

        Thanks

        SquirrelHead

[reply]

In Section Seekers of Perl Wisdom