I've come up with a way for older servers (Witango/TeraScript < 7.0.3) to return a header with httpOnly and Secure cookies.
First, make sure that you witango.ini/server.ini has a proper path for DEFAULTHEADER= Next, edit the file pointed to (should be /MiscFiles/header.tml) to contain: HTTP/1.1 <@HTTPSTATUSCODE> <@HTTPREASONPHRASE><@CRLF>Content-Type: text/html<@CRLF><@IF "<@HTTPATTRIBUTE server_port> = 443 && !(<@HTTPATTRIBUTE http_cookie> contains 'Witango_UserReference')">Set-Cookie: Witango_UserReference=<@USERREFERENCE>; path=/; HttpOnly; Secure<@CRLF></@IF><@SETCOOKIES><@CRLF> Caveats: This will not set a user reference cookie when the port is not 443 (non-SSL HTTP port 80 for example), therefore the user scope isn't usable outside of HTTPS. This is done with the expectation that the first (and only) non-SSL request received is responded to with a redirect to HTTPS, and that this request doesn't set any variables in the user scope. This also assumes that you are not overriding the HTTP header elsewhere in your application. If you are already doing so for one-off requests, that's fine, they will continue to work as before. But you can't be overriding the HTTP header as a normal course of processing TAFs, or if you are, you need to implement this logic in that assignment. @SETCOOKIES is always present and remains unchanged, therefore it's behavior will remain unchanged. Please let me know if you have any feedback on this issue as I can make improvements to v 7.1 and v8.0. Robert ---------------------------------------- To unsubscribe from this list, please send an email to [email protected] with "unsubscribe terascript-talk" in the body.
