A.4 HttpOnly Command


OES Remote manager sets an HttpOnly cookie attribute that specifies that the cookie is not accessible through a script. This helps mitigate the risk of cross-site scripting.


If the HttpOnly flag is included in the HTTP response header, the cookie cannot be accessed through a client side script.

If you modify the setting, you must restart OES Remote Manager.

HttpOnly <true|false>




Include HttpOnly as an attribute in the response header.

This is the default setting.


Do not include HttpOnly in the response header.

To disable the HttpOnly attribute:

  1. Log in to the server as the root user, then open a terminal console.

  2. Stop the httpstkd daemon by entering

    rcnovell-httpstkd stop
  3. Open the /etc/opt/novell/httpstkd.conf file in a text editor.

  4. Review the potential security concerns for changing HttpOnly to false.

  5. Change the setting from

    HttpOnly true


    HttpOnly false
  6. Save the file and exit the text editor.

  7. Start the httpstkd daemon by entering

    rcnovell-httpstkd start


HttpOnly true
HttpOnly false