HttpOnly and ASP.NET 2.0

HttpOnly is a flag that you can append to cookies which makes it a little bit harder for cookie harvesting attacks (e.g. via XSS) to steal your valuable cookies containing authentication tickets or session IDs. I wrote about it here before.

ASP.NET 2.0 now features a HttpOnly property on the HttpCookie class which adds the flag when set to true. Session and authentication cookies always have this flag set. You can also configure the default behaviour of your manually issued cookie by using this configuration element:

<httpCookies httpOnlyCookies=true />

Unfortunately, this is not the default setting and you have to configure that manually in your web.config.

 

This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s