Hello,
I'm trying to make a test project and have the problem that I can not find the way to apply the httponly flag to a custom session cookie. Has anyone done this before in PASOE?
It is from the ABL where a output parameter is mapped to a custom "session" cookie and I want to apply the httponly flag to it.
I'm currently using OE 11.6.3. I have not seen a option for the REST transport to apply the httponly flag. Security scanners shows a alert if they detect a "session" cookie without the httponly flag. So every transport method should be able to apply e.g. the httponly flag to a cookie.
If only the WEB transport is able to take control over the cookie flags, it is security wise (reading cookie information from javascript) not usable to use the REST or SOAP transport. See RFC6265 ( tools.ietf.org/.../rfc6265 ) for more information about cookie flags.
Could this be a good candidate for the ideas section? If it isn't possible with the REST or SOAP transport.
I've created a support case for the issue with the cookie flags.
I have created an idea in the idea section for it:
community.progress.com/.../option_to_set_the_cookie_flags_in_pasoe_for_rest