Browser cookies served from PeopleSoft are marked as HttpOnly by default starting in PeopleTools 8.57. HttpOnly cookies prevent client side scripts
disable the HttpOnly flag for a PeopleSoft cookie by specifying the cookie name on the
Browser Cookie Rules grid on the
Cookie Rules tab of
the Web Profile.
Using the Web Profile configuration for disabling HttpOnly flags for cookies works well, but there are scenarios where the developer may want to
control whether the HttpOnly flag is set for a cookie. Unfortunately, the delivered
Cookie class used for creating cookies in PeopleCode does
not provide a way to set the HttpOnly flag. If a developer wants to disable the HttpOnly flag for a cookie via code, then they can use the
SetHeader method of the
%Response class to create the cookie manually.
%Response.SetHeader("Set-Cookie", "MyCookie=123; path=/");
This results in the cookie being marked as non-HttpOnly in the browser.