Everything works as expected with the exception of the httponly flag which is not being set. I have used Firefox and Chrome to view the headers but neither show as having the httponly flag set.

How are you checking to see if the flag is set?

Tools + Options + Privacy + Show Cookies?

Yeah, I can confirm that widget doesn't indicate whether or not httponly is set, but the header is sent

$ perl -MCGI::Cookie -le " print CGI::Cookie->new( qw/ -name mycookie 
+/, -value => [qw/ foo bar /], qw/ -secure 1 -httponly 1 -expires +3M 
+/ ) "
mycookie=foo&bar; path=/; expires=Thu, 10-May-2012 07:54:06 GMT; secur
+e; HttpOnly
[download]

$ lwp-request -USEd  http://localhost/cgi-bin/httponly.cgi
GET http://localhost/cgi-bin/httponly.cgi
User-Agent: lwp-request/6.03 libwww-perl/6.03

200 OK
Connection: close
Date: Fri, 10 Feb 2012 07:59:39 GMT
Server: Apache/2.0.54 (Win32) mod_ssl/2.0.54 OpenSSL/0.9.7g PHP/4.3.11
+ mod_perl/2.0.1 Perl/v5.8.9
Content-Type: text/html; charset=UTF-8
Client-Date: Fri, 10 Feb 2012 07:59:42 GMT
Client-Peer: 127.0.0.1:80
Client-Response-Num: 1
Client-Transfer-Encoding: chunked
Set-Cookie: mycookie=foo&bar; path=/; expires=Thu, 10-May-2012 07:59:4
+1 GMT; secure; HttpOnly
Title: Untitled Document
[download]

From the Web Console ( Ctrl+Shift+K ) I can confirm that cookies set with httponly don't show up in document.cookie

So yeah, it works

Hi there

Thanks for taking the time to reply to this, it's much appreciated.

I have run the command you entered from the command line but I get a different result to what you are seeing on screen

$ perl -MCGI::Cookie -le " print CGI::Cookie->new( qw/ -name mycookie 
+/, -value => [qw/ foo bar /], qw/ -secure 1 -httponly 1 -expires +3M 
+/ ) "
mycookie=foo&bar; path=/; expires=Thu, 10-May-2012 08:38:56 GMT; secur
+e
[download]

As there is no mention of the httponly flag being set do you think this is an issue with our Apache install or version rather than Perl?

Up until now I have been viewing the cookie information through the Live Headers add-in in Firefox and by using the Tools, Developer Tools, Resources, Cookies menu options in Chrome.

Thanks again for the help here.

Cheers

SquirrelHead

Upgrade CGI

$ pmvers CGI CGI::Cookie
CGI: 3.59
CGI::Cookie: 1.30

$ perl -MCGI -le " print CGI->cookie( qw/ -name mycookie /, -value => 
+[qw/ foo bar /], qw/ -secure 1 -httponly 1 -expires +3M / ) "
mycookie=foo&bar; path=/; expires=Thu, 10-May-2012 09:12:33 GMT; secur
+e; HttpOnly

$
$ perl -MCGI -d:Modlist -le " print CGI->cookie( qw/ -name mycookie /,
+ -value => [qw/ foo bar /], qw/ -secure 1 -httponly 1 -expires +3M / 
+) "
mycookie=foo&bar; path=/; expires=Thu, 10-May-2012 09:12:39 GMT; secur
+e; HttpOnly
CGI                    3.59
CGI::Cookie            1.30
CGI::Util              3.53
Carp                   1.23
Exporter               5.66
constant               1.21
overload               1.13
vars                   1.02
warnings               1.12
warnings::register     1.02
[download]

#!/usr/bin/perl

use strict;
use warnings;
use CGI qw/:standard/;
use CGI::Cookie;
use CGI::Carp qw/fatalsToBrowser/;

my $c = CGI::Cookie->new(
    -name     =>  'mycookie',
    -value    =>  ['foo','bar'],
    -secure   => 1,
    -expires  => '+3M',
    -domain   => 'your domain',
    -path     => '/path/to/cgi-bin
    -httponly => 1,
);
print "Set-Cookie: $c\n";
print "Content-Type: text/html\n\n";
[download]

Hi

I've had the domain and path set in the scripts before and taken out during testing. In fact, I have taken out and added back just about every possible permutation :) Adding them back again seems to make no difference.

Thanks for the reply, I'm investigating the possibility that Apache is not setting the httponly flag at the moment.

Cheers

SquirrelHead

If you are using perl 5.8.8 it is because you probably also have CGI.pm-3.15 installed.

Support for httponly cookies was not added until CGI.pm-3.21.

You can get CGI.pm-3.40 in perl 5.8.9, or update to the current version as well CGI.