Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How exactly do you configure httpOnlyCookies in ASP.NET?

Inspired by this CodingHorror article, "Protecting Your Cookies: HttpOnly"

How do you set this property? Somewhere in the web config?

like image 833
Teller Avatar asked Aug 28 '08 22:08

Teller


People also ask

What is Httponlycookies config?

HttpOnly cookies (cookies with the HttpOnly attribute) were introduced in Internet Explorer 6 to help mitigate the risk of cross-site scripting. The HttpOnly attribute prevents cookies from being accessed through client-side script.

How do I set HttpOnly to true?

Here is an example of how you can do this in PHP using the setcookie function: setcookie("sessionid", "QmFieWxvbiA1", ['httponly' => true]); The last value (true) represents setting the HttpOnly attribute.

What is true for Httponlycookies?

true if the cookie has the HttpOnly attribute and cannot be accessed through a client-side script; otherwise, false . The default is false .

How do you set HttpOnly cookies?

Set HttpOnly cookie in PHPini_set("session. cookie_httponly", True); This is the most common way to set cookies in PHP, empty variables will hold their default value.


2 Answers

If you're using ASP.NET 2.0 or greater, you can turn it on in the Web.config file. In the <system.web> section, add the following line:

<httpCookies httpOnlyCookies="true"/> 
like image 126
Corey McKinnon Avatar answered Oct 11 '22 13:10

Corey McKinnon


With props to Rick (second comment down in the blog post mentioned), here's the MSDN article on httpOnlyCookies.

Bottom line is that you just add the following section in your system.web section in your web.config:

<httpCookies domain="" httpOnlyCookies="true|false" requireSSL="true|false" /> 
like image 42
Dillie-O Avatar answered Oct 11 '22 13:10

Dillie-O