Best IT Recipes

How exactly do you configure httpOnlyCookies in ASP.NET?

Inspired by this CodingHorror article, Protecting Your Cookies: HttpOnly "

How do you set this property? Somewhere in the web configuration?

+37
cookies xss
Aug 28 '08 at 22:14
source share
4 answers

If you are using ASP.NET 2.0 or higher, you can include it in the Web.config file. In <system.web>, add the following line:

<httpCookies httpOnlyCookies="true"/>
+47
Aug 28 '08 at 22:19
source

With the details for Rick (second comment on the mentioned blog) here is the MSDN article on httpOnlyCookies.

In the end, you simply add the following section to the system.web section in your web.config:

 <httpCookies domain="" httpOnlyCookies="true|false" requireSSL="true|false" />
+10
Aug 28 '08 at 22:17
source

If you want to do this in code, use the System.Web.HttpCookie.HttpOnly property.

This is directly from the MSDN docs:

 // Create a new HttpCookie. HttpCookie myHttpCookie = new HttpCookie("LastVisit", DateTime.Now.ToString()); // By default, the HttpOnly property is set to false // unless specified otherwise in configuration. myHttpCookie.Name = "MyHttpCookie"; Response.AppendCookie(myHttpCookie); // Show the name of the cookie. Response.Write(myHttpCookie.Name); // Create an HttpOnly cookie. HttpCookie myHttpOnlyCookie = new HttpCookie("LastVisit", DateTime.Now.ToString()); // Setting the HttpOnly value to true, makes // this cookie accessible only to ASP.NET. myHttpOnlyCookie.HttpOnly = true; myHttpOnlyCookie.Name = "MyHttpOnlyCookie"; Response.AppendCookie(myHttpOnlyCookie); // Show the name of the HttpOnly cookie. Response.Write(myHttpOnlyCookie.Name);

Executing this code allows you to selectively select which HttpOnly cookies and which not.

+7
Aug 29 '08 at 2:48
source

Interestingly, placing <httpCookies httpOnlyCookies="false"/> does not disable httpOnlyCookies in ASP.NET 2.0. Check out this article about SessionID and login issues in ASP.NET 2.0 .

Microsoft seems to have decided not to let you disable it from web.config. Mark a post on forums.asp.net

+3
Apr 21 '09 at 1:57
source


More articles:


All Articles