HttpOnly is ignored setting a cookie

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.
Hace 2 años
Hello!

We need to set a cookie with the HttpOnly set to false.  This works on our local environments, but the cookie has HttpOnly true when we move this code to our server.  Is there something we might need to change in a configuration somewhere?  This is on nopCommerce 4.0.

Cookie-setting code:


var options = new Microsoft.AspNetCore.Http.CookieOptions
            {
                HttpOnly = false,
                Expires = cookieExpiresDate,
                Domain = string.IsNullOrEmpty(_aemSettings.AemDomainName) ? ".oursite.com" : _aemSettings.AemDomainName,
                SameSite = SameSiteMode.None,
                Secure = true 
            };
            _httpContextAccessor.HttpContext.Response.Cookies.Append(CART_QUANTITY_COOKIE_NAME, quantity.ToString(), options);
0
Hace 2 años
New information:

I added some logging to the method setting the cookie:


_logger.Information("The cookie option HttpOnly is " + options.HttpOnly);


And I see in my log: "The cookie option HttpOnly is False".

So, it looks like the cookie option is correct coming out of this method.  Is there anywhere else in nopCommerce that this might be getting changed?  Is there some setting I can't find about cookie security?  Is the capital F in "False" (instead of "false") a clue?

Jeremy
0
Hace 2 años
To anyone watching, this ended up being an issue on our network.  A device was forcing all cookies to have HTTP-only set to true.  nopCommerce was working exactly as it should have.

That's all!

Jeremy
0
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.