I'm looking to implement httpOnly in my legacy ASP classic sites. Anyone knows how to do it?
It is not clear, a bit of code would be great
Eduardo Molteni
2008-09-11 14:42:19
+4
A:
Response.AddHeader "Set-Cookie", "mycookie=yo; HttpOnly"
Other options like expires, path and secure can be also added in this way. I don't know of any magical way to change your whole cookies collection, but I could be wrong about that.
Aaron Wagner
2008-09-10 21:49:08
A:
Let me be the first to congratulate you on adding an excellent security feature to your cookies. Why more sites don't use the HttpOnly attribute, I'll never know...
Josh Hinman
2008-09-10 21:52:22
+2
A:
HttpOnly does very little to improve the security of web applications. For one thing, it only works in IE (Firefox "supports" it, but still discloses cookies to Javascript in some situations). For another thing, it only prevents a "drive-by" attack against your application; it does nothing to keep a cross-site scripting attack from resetting passwords, changing email addresses, or placing orders.
Should you use it? Sure. It's not going to hurt you. But there are 10 things you should be sure you're doing before you start messing with HttpOnly.
tqbf
2008-09-11 19:37:24
Yes, I know. But adding one more layer of protection never hurts.
Eduardo Molteni
2009-05-28 14:09:05