In my web project setting to turn on httpOnlyCookies is not there. It is false by default. Also there is no place in code where cookie is being set to HttpOnly. However, when I browse to the site I can see that ASP.NET_Session cookie is being passed as HttpOnly. How is it set to HttpOnly?
+4
A:
ASP.NET session cookies are HTTP only, regardless of the httpOnlyCookies setting linked to in your question, because this is burned into ASP.NET. You can't override this.
If you dig into the System.Web.SessionState.SessionIDManager class in the System.Web assembly the code for creating the ASP.NET session cookie looks like:
private static HttpCookie CreateSessionCookie(string id)
{
HttpCookie cookie = new HttpCookie(Config.CookieName, id);
cookie.Path = "/";
cookie.HttpOnly = true; // <-- burned in
return cookie;
}
Kev
2010-02-11 19:44:50
found documentation here: http://msdn.microsoft.com/en-us/library/aa480476.aspx "HttpOnly. This property specifies whether the cookie can be accessed by client script. In ASP.NET 2.0, this value is always set to true. "
dev.e.loper
2010-02-11 19:56:28
@dev - I just dug into the System.Web.dll assembly to take a peek :)
Kev
2010-02-11 20:01:54
The part right below it is important too. Older browsers do not support HttpOnly, and may either ignore the cookie or ignore the attribute, the latter still leaves your site open to XSS attacks.
Josh Stodola
2010-02-11 20:02:27
+1
A:
It is HttpOnly so your session cookie cannot be modified by the client with JavaScript.
Shawn Steward
2010-02-11 19:46:58
Correct. I knew that part. I rephrased my question from "why" to "how is it set?"
dev.e.loper
2010-02-11 19:53:42