Hi. I have a client who needed all cookies to contain the HttpOnly flag in order to pass a penetration test for PCI compliance. I couldn't see a way of adding this flag to HAProxy's persistence cookies. Would it therefore be possible to add an 'httponly' option for the 'cookie' parameter?
As an interim measure I modified src/proto_http.c to add the flag to all persistence cookies: 5348a5349,5350 > len += sprintf(trash+len, "; HttpOnly"); > I hope this is something which can be added permanently as an option, otherwise it seems quite awkward for certain HAProxy users needing to pass compliance tests. Cheers, Matt. -- mattbrock.co.uk
