I am wondering if there is some way to implement the httponly flag with websession.cookie.set? Also wondering why the “sessionid” cookie in Xojo is not using the httponly flag or is there an option to enable it? It might help in hardening Xojo web apps again XSS attacks if available. It doesn’t seem to be used.
WHAT:
There should be a way to specify the ‘HttpOnly’ flag in any cookie set by websession.cookie - also the framework’s built-in cookie for session management ‘sessionid’ should have this flag set by default, or at least optionally.
WHY:
HttpOnly is an effective preventative measure that would build in increased protection for xoxo web app developers (and users) against Cross Site Scripting attacks on Xojo apps. The HttpOnly flag on a cookie should be trivial to support/implement.
DETAILS:
"99% of browsers and most web application frameworks " support HttpOnly (Xojo does not to my knowledge)