tags:

views:

354

answers:

1
Q: 

Security scan finds httpOnly cookies in ASP.NET application even when disabled

I have tried to enable httpOnly cookies in my WSS 3.0 forms-authentication application using the web.config tag. A Cenzic Hailstorm security scan report claims that cookies are being produced with the flag off, including the .ASPXAUTH cookie, one related to Discovery.asmx, and one related to WSS_AccessibiltyFeature. Here are my questions:

  1. Is there some way the scan could be mistaken?
  2. Is there something I do not understand about how the cookies are created? Are these exempt from the httpOnly flag?
  3. Is there a way to verify myself that the cookies are coming out as httpOnly? I am aware of the Watcher add-on for Fiddler but I have had not been able to get that to work (I am communicating with the developer). Surely there is something else that can examine the cookie.
+2  A: 

Actually, you can use Fiddler to look at the Raw source of your HTTP request. That should tell you about the httpOnly cookies.

See more about this here: http://www.codinghorror.com/blog/archives/001167.html

Gyuri  2009-11-09 23:07:02
Thanks, I was able to view the httpOnly flag by examining the raw header. I am still curious as to why Hailstorm is mistaken. I will leave the question open for a while and accept your answer if no one answers the other part of the question.
strongopinions  2009-11-09 23:21:36
I wonder if your cookie was cached:Cacheable Cookies: If the cookie is intended for use by a single user (for private documents), the Set-cookie header should not be cached. To suppress caching of the Set-Cookie header, the origin server should send Cache-control: no-cache="set-cookie" response header.(This is a server side setting)
Gyuri  2009-11-10 00:01:00
IE doesn't actually respect named header values in the Cache-Control directive; sending no-cache there will prevent caching of the response entirely. I don't know whether other browsers do.
EricLaw -MSFT-  2009-11-10 04:49:52
This time the scan did not complain about httpOnly. Maybe it was a caching issue before, but wouldn't the cached version have contained the httpOnly flag anyway?
strongopinions  2009-11-10 19:34:07

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps