Inspired by this CodingHorror article, "Protecting Your Cookies: HttpOnly"
How do you set this property? Somewhere in the web config?
HttpOnly cookies (cookies with the HttpOnly attribute) were introduced in Internet Explorer 6 to help mitigate the risk of cross-site scripting. The HttpOnly attribute prevents cookies from being accessed through client-side script.
Here is an example of how you can do this in PHP using the setcookie function: setcookie("sessionid", "QmFieWxvbiA1", ['httponly' => true]); The last value (true) represents setting the HttpOnly attribute.
true if the cookie has the HttpOnly attribute and cannot be accessed through a client-side script; otherwise, false . The default is false .
Set HttpOnly cookie in PHPini_set("session. cookie_httponly", True); This is the most common way to set cookies in PHP, empty variables will hold their default value.
If you're using ASP.NET 2.0 or greater, you can turn it on in the Web.config file. In the <system.web> section, add the following line:
<httpCookies httpOnlyCookies="true"/>
With props to Rick (second comment down in the blog post mentioned), here's the MSDN article on httpOnlyCookies.
Bottom line is that you just add the following section in your system.web section in your web.config:
<httpCookies domain="" httpOnlyCookies="true|false" requireSSL="true|false" />
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With