Has anyone successfully managed to wrap up their cookies with a httpOnly attribute? Doing this should prevent javascript accessing the document.cookie variable which helps prevent XSS attacks, however for the life of me I cannot get it to work, and am still able to see the site cookies via alert(document.cookie).
I have tried the following approach; <cfheader name="Set-Cookie" value="CFTOKEN=#localCFtoken#;HttpOnly"> Thanks ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:317205 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
