> Has anyone successfully managed to wrap up their cookies with a httpOnly > attribute? > Doing this should prevent javascript accessing the document.cookie variable > which helps > prevent XSS attacks, however for the life of me I cannot get it to work, and > am still able to > see the site cookies via alert(document.cookie). > > I have tried the following approach; > > <cfheader name="Set-Cookie" value="CFTOKEN=#localCFtoken#;HttpOnly">
Have you disabled the default creation of session identifier cookies by CF? You will need to do that, I think. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:317209 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
