Lazarus

Programming => Networking and Web Programming => Topic started by: snorkel on November 26, 2019, 05:50:41 pm

Title: Indy TidHttpServer Set Cookie to HTTPONLY?
Post by: snorkel on November 26, 2019, 05:50:41 pm
Hi,
is it possible to set the tidhttpserver so the session cookie has httponly?
I see idcookie has options for it but it's not exposed anywhere in the server component.
Title: Re: Indy TidHttpServer Set Cookie to HTTPONLY?
Post by: Remy Lebeau on November 27, 2019, 07:57:56 pm
Quote from: snorkel on November 26, 2019, 05:50:41 pm
is it possible to set the tidhttpserver so the session cookie has httponly?

That option is not implemented in TIdHTTPServer itself.

However, in the OnCommand... events, if AResponseInfo.Session is not nil then you should be able to manually find a cookie in the AResponseInfo.Cookies collection whose CookieName matches TIdHTTPServer.SessionIDCookieName and Value matches AResponseInfo.Session.SessionID, and if found then set its HttpOnly (or any other property) as needed.
TinyPortal © 2005-2018