Menu
I am developing an ASP.NET MVC server with Entity Framework 6.0. As far as I'm aware, it's set up to be compatible with EF 4.5 (<httpRuntime targetFramework="4.5" />).
I want to ensure that the session cookie (ie. cookie that stores the session identifier) is HttpOnly, since that's an industry-wide best practice, which helps protect against Cross-Site Request Forgery attacks.
The problem is, it's created automatically by the framework, so I can't simply change an object's property right after calling the constructor, as is the case with all the other cookies.
In Web.config, I've set <httpCookies httpOnlyCookies="true" />, and yet - when I retrieve the session cookie - it is not HttpOnly (its HttpCookie.HttpOnly property is set false). And I don't quite know how to change that.
I couldn't find anything in Microsoft's documentation about Web.config's <sessionState> that would change that. Here on Stack Overflow I only found a four year old question talking about how session cookie is HttpOnly by default, which is the precise opposite for me, and a five days old question asking why session cookie is not HttpOnly by default - which for some inexplicable reason was closed - without a comment - as a duplicate of the former.
I know I can retrieve the session cookie, check it and set HttpOnly=true on every request (or do that less often with a slightly more refined/hackish filter, or set it manually on login, or...), but I'm not a blood-soaked barbarian there has to be a proper way to do this.
So, how do I set the session cookie to HttpOnly?
731
Set HttpOnly cookie in PHPini_set("session. cookie_httponly", True); This is the most common way to set cookies in PHP, empty variables will hold their default value.
For example, cookies that persist in server-side sessions don't need to be available to JavaScript and should have the HttpOnly attribute. This precaution helps mitigate cross-site scripting (XSS) attacks.
An HttpOnly cookie cannot be accessed by client-side APIs, such as JavaScript. This restriction eliminates the threat of cookie theft via cross-site scripting (XSS). If the browser allowed you to access it then it would be a defect in the browser.
Enable HTTPOnly cookie in CORS enabled backend Enabling Cookie in CORS needs the below configuration in the application/server. Set Access-Control-Allow-Credentials header to true. Access-Control-Allow-Origin and Access-Control-Allow-Headers should not be a wildcard(*). Cookie sameSite attribute should be None.
Session Cookie will always be httponly. You cannot modify or override it.
when I retrieve the session cookie - it is not HttpOnly (its HttpCookie.HttpOnly property is set false).
var cookie = Request.Cookies["ASP.Net_SessionId"];
if (cookie != null)
{
var httpOnly = cookie.HttpOnly; // <-- This is always false
}
HttpOnly value is always false at server-side, because client browser does not send back to server whether cookie is in httponly or not.
You can use cookie editor such as Chrome Plugin EditThisCookie.
139
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
