SetCookie(Name As String, Value As String, Expiration As DateTime = Nil, Domain As String = “.”, Path As String = “/”, Secure As Boolean = False, HTTPOnly As Boolean = False)
Sets the value of the Name cookie. The Domain and Path must exactly match the values that were used to create the cookie.
||Name of the cookie to set so you can retrieve the value later with the Value method.
||A value to store on the user’s browser.
||Date after which the cookie will no longer be available.
||Limits access to the cookie to the domain specified.
||Limits access to the cookie to the path specified.
||If True, the cookie can only be accessed via secure (https) connections.
||If True, the cookie can only be accessed via (https) connections.
Notice where HTTPOnly says can only be accessed via (https) - This is a typo in the documentation, right? It should say “(http)” I assume?
True - in fact MDN says ( Link )
Document.cookie property. Note that a cookie that has been created with
fetch(). This mitigates attacks against cross-site scripting (XSS).
Any idea what that would mean in the context of a Xojo WebApp?
Yeah, for one thing, it means that any third party controls or libraries on the page would not be able to read the contents of the cookies when they send data to the back end, which could potentially be a security risk if you were storing some sort of connection token in a cookie.