SetCookie

SetCookie(Name As String, Value As String, Expiration As DateTime = Nil, Domain As String = “.”, Path As String = “/”, Secure As Boolean = False, HTTPOnly As Boolean = False)

Sets the value of the Name cookie. The Domain and Path must exactly match the values that were used to create the cookie.

Parameter	Description
Name	Name of the cookie to set so you can retrieve the value later with the Value method.
Value	A value to store on the user’s browser.
Expiration	Date after which the cookie will no longer be available.
Domain	Limits access to the cookie to the domain specified.
Path	Limits access to the cookie to the path specified.
Secure	If True, the cookie can only be accessed via secure (https) connections.
HTTPOnly	If True, the cookie can only be accessed via (https) connections.

Notice where HTTPOnly says can only be accessed via (https) - This is a typo in the documentation, right? It should say “(http)” I assume?

You’re right that it’s wrong, but it’s more wrong than you think. HTTPOnly prevents the cookie from being seen by JavaScript.

True - in fact MDN says ( Link )

HttpOnly Optional

Forbids JavaScript from accessing the cookie, for example, through the Document.cookie property. Note that a cookie that has been created with HttpOnlywill still be sent with JavaScript-initiated requests, for example, when calling XMLHttpRequest.send() or fetch(). This mitigates attacks against cross-site scripting (XSS).

Any idea what that would mean in the context of a Xojo WebApp?

Yeah, for one thing, it means that any third party controls or libraries on the page would not be able to read the contents of the cookies when they send data to the back end, which could potentially be a security risk if you were storing some sort of connection token in a cookie.

created documentation issue: https://tracker.xojo.com/xojoinc/xojo/-/issues/73942