Recent

Author Topic: Indy TidHttpServer Set Cookie to HTTPONLY?  (Read 216 times)

snorkel

  • Hero Member
  • *****
  • Posts: 810
Indy TidHttpServer Set Cookie to HTTPONLY?
« on: November 26, 2019, 05:50:41 pm »
Hi,
is it possible to set the tidhttpserver so the session cookie has httponly?
I see idcookie has options for it but it's not exposed anywhere in the server component.
***Snorkel***
If I forget, I always use the latest stable 32bit version of Lazarus and FPC. At the time of this signature that is Laz 2.06 and FPC 3.0.4
OS: Windows 10 64 bit

Remy Lebeau

  • Hero Member
  • *****
  • Posts: 691
    • Lebeau Software
Re: Indy TidHttpServer Set Cookie to HTTPONLY?
« Reply #1 on: November 27, 2019, 07:57:56 pm »
is it possible to set the tidhttpserver so the session cookie has httponly?

That option is not implemented in TIdHTTPServer itself.

However, in the OnCommand... events, if AResponseInfo.Session is not nil then you should be able to manually find a cookie in the AResponseInfo.Cookies collection whose CookieName matches TIdHTTPServer.SessionIDCookieName and Value matches AResponseInfo.Session.SessionID, and if found then set its HttpOnly (or any other property) as needed.
« Last Edit: November 27, 2019, 08:04:19 pm by Remy Lebeau »
Remy Lebeau
Lebeau Software - Owner, Developer
Internet Direct (Indy) - Admin, Developer (Support forum)