[web-devel] HttpOnly

Michael Snoyman michael at snoyman.com
Thu Jun 30 15:58:39 CEST 2011

Hi all,

Here's one of those times I'd like to get some cross-framework
discussion going. In Yesod, we use a combination of the cookie
package[1] and clientsession[2] for storing user sessions. A few

* I recently heard that Snap also uses client-side sessions. If this
is true, what packages does it use?
* Can anyone think of a downside to setting HttpOnly on session cookies?
* Now that I realize the option for HttpOnly is missing from the
cookie package, can anyone see anything else missing from its API?

In general, given that cookies are one of those ill-specified, very
finicky parts of the web, I'd like it if we could try to converge on a
single package for cookie parsing/rendering (both server and client
side). Currently, Yesod and wai-test[3] both use it. Assuming we ever
get a "Browser"-style module for http-enumerator, I would assume we'd
use it there too.


[1] http://hackage.haskell.org/package/cookie
[2] http://hackage.haskell.org/package/clientsession
[3] http://hackage.haskell.org/package/wai-test

More information about the web-devel mailing list