Hi

I've got a situation where, to satisfy an external security consultant, we need to set the "secure" and "httpOnly" flags on the DF Cookie.

I'm thinking that this might be done conditional on a database setting so as to only do it when needed, so something like, in SessionManager.wo:
Code:
Object oSessionManager is a cWebSessionManagerStandard

    Function CreateSession String sAddr Returns String
        String sKey
  
        If ({checkTheDBSetting=True}) Begin
            Set pbSessionCookieSecure to True
            Set pbSessionCookieHttpOnly to True
        End
    
        Forward Get CreateSession sAddr to sKey
        Function_Return sKey
    End_Function

End_Object
Would this break anything, d' ya think? Is it the correct approach?

Mike