HttpOnly and ASP.NET 2.0

HttpOnly is a flag that you can append to cookies which makes it a little bit harder for cookie harvesting attacks (e.g. via XSS) to steal your valuable cookies containing authentication tickets or session IDs. I wrote about it here before.

ASP.NET 2.0 now features a HttpOnly property on the HttpCookie class which adds the flag when set to true. Session and authentication cookies always have this flag set. You can also configure the default behaviour of your manually issued cookie by using this configuration element:

<httpCookies httpOnlyCookies=true />

Unfortunately, this is not the default setting and you have to configure that manually in your web.config.


This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s