Home/ Questions/Q 811859
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-15T01:06:38+00:00

How do I set the HTTPOnly flag? the TCookie does not have any method

  • 0

How do I set the HTTPOnly flag?
the TCookie does not have any method or property to specify the HTTPOnly flag.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    If you talking about TCookie in HttpApp.pas then there is no built in property to support HttpOnly.

    You can look at httpApp.pas at the TCookie.GetHeaderValue: string; implementation to verify.

    However a Cookie is just something set in the Header and TWebResponse has a CustomHeaders
    property. Where you could Call Response.CustomHeaders.Add(MyCookieValue);

    The following class is a modified version of TCookie to support HttpOnly that you can use to generate the cookie correctly.

    unit CookieGen;

interface
uses
 Sysutils,Classes,HttpApp;
type
  TCookieGenerator = class(TObject)
  private
    FName: string;
    FValue: string;
    FPath: string;
    FDomain: string;
    FExpires: TDateTime;
    FSecure: Boolean;
    FHttpOnly: Boolean;
  protected
    function GetHeaderValue: string;
  public
    property Name: string read FName write FName;
    property Value: string read FValue write FValue;
    property Domain: string read FDomain write FDomain;
    property Path: string read FPath write FPath;
    property Expires: TDateTime read FExpires write FExpires;
    property Secure: Boolean read FSecure write FSecure;
    property HttpOnly : Boolean read FHttpOnly write FHttpOnly;
    property HeaderValue: string read GetHeaderValue;
  end;

implementation

{ TCookieGenerator }

function TCookieGenerator.GetHeaderValue: string;
begin
  Result := Format('%s=%s; ', [HTTPEncode(FName), HTTPEncode(FValue)]);
  if Domain <> '' then
    Result := Result + Format('domain=%s; ', [Domain]);  { do not localize }
  if Path <> '' then
    Result := Result + Format('path=%s; ', [Path]);      { do not localize }
  if Expires > -1 then
    Result := Result +
      Format(FormatDateTime('"expires="' + sDateFormat + ' "GMT; "', Expires),  { do not localize }
        [DayOfWeekStr(Expires), MonthStr(Expires)]);
  if Secure then Result := Result + 'secure; ';  { do not localize }
  if HttpOnly then Result := Result + 'HttpOnly';  { do not localize }
  if Copy(Result, Length(Result) - 1, MaxInt) = '; ' then
    SetLength(Result, Length(Result) - 2);

end;

end.
    • 0