Login or Sign Up to become a member!

Less Than Dot is a community of passionate IT professionals and enthusiasts dedicated to sharing technical knowledge, experience, and assistance. Inside you will find reference materials, interesting technical discussions, and expert tips and commentary. Once you register for an account you will have immediate access to the forums and all past articles and commentaries.

From Wiki

Summary: How to set cookies as httponly

Need help with ASP.NET? Come and ask a question in our ASP.NET Forum

Rationale, Considerations and Limitations

To increase security, you should set your cookies to be "httponly". A good example of why can be found in Jeff Atwood's blog post here:

http://www.codinghorror.com/blog/archives/001167.html

The reason for doing this is to inform the User Agent (e.g. web browser) that the cookie being sent is only intended for the Web Server to keep track of information, such as user_id, status, etc, and not to allow client side scripts to read or use this cookie in anyway. This helps to limit the ability of attackers to gain access to this sensitive information through Cross Site Scripting (XSS) attacks. It isn't however, a complete fix - it makes life harder for the attacker, but there are ways around this depending on the sites vulnerabilities to XSS and CSRF and similar exploits. More info here: http://www.webappsec.org/lists/websecurity/archive/2006-05/msg00025.html

Implementation

To do this in ASP.NET is a fairly simple task. Simply add this line to your web.config file (just inside the system.web element):

NOTE: Make sure you replace the domain with your domain name.

You can also find more information on this setting in your MSDN help files:

http://msdn.microsoft.com/en-us/library/ms228262.aspx

This Hack is part of the ASP.NET Hacks collection