httponly

Inspired by this CodingHorror article, " Protecting Your Cookies: HttpOnly " How do you set this property? Somewhere in the web config? Corey McKinnon If you're using ASP.NET 2.0 or greater, you can turn it on in the Web.config file. In the <system.web> section, add the following line: <httpCookies httpOnlyCookies="true"/> With props to Rick (second comment down in the blog post mentioned), here's the MSDN article on httpOnlyCookies. Bottom line is that you just add the following section in your system.web section in your web.config: <httpCookies domain="" httpOnlyCookies="true|false"

How can i get a httponly cookie in a httpwebresponse ? Habitually i use a CookieContainer to get the cookies in a httpwebresponse, but it doesnt work with httponly cookie. Is there an other way to catch them ? Yes, it is possible to retrieve a HTTPOnly cookie , for instance from a client program using the "InternetGetCookieEx" function in the "Wininet.dll" . You must use PInvoke code like this : /// <summary> /// WinInet.dll wrapper /// </summary> internal static class CookieReader { /// <summary> /// Enables the retrieval of cookies that are marked as "HTTPOnly". /// Do not use this flag if

Does anyone know exactly how to set HTTPONLY on classic ASP session cookies? This is the final thing that's been flagged in a vulnerability scan and needs fixing ASAP, so any help is appreciated. ~~~A LITTLE MORE INFORMATION ON MY PROBLEM~~~ Can anyone please help me with this? I need to know how to set HTTPONLY on the ASPSESSION cookie created by default from ASP & IIS. This is the cookie automatically created by the server for all asp pages. If needed i can set HTTPONLY on all cookie across the site. Any help on how to do this would be massively appreciated. Thanks Thanks Elliott Microsoft

How can I set the cookies in my PHP apps as HttpOnly cookies ? Cheekysoft For your cookies , see this answer. For PHP's own session cookie ( PHPSESSID , by default), see @richie's answer The setcookie() and setrawcookie() functions, introduced the httponly parameter, back in the dark ages of PHP 5.2.0, making this nice and easy. Simply set the 7th parameter to true, as per the syntax Function syntax simplified for brevity setcookie( $name, $value, $expire, $path, $domain, $secure, $httponly ) setrawcookie( $name, $value, $expire, $path, $domain, $secure, $httponly ) Enter NULL for parameters

JavaScript needs access to cookies if AJAX is used on a site with access restrictions based on cookies. Will HttpOnly cookies work on an AJAX site? Edit: Microsoft created a way to prevent XSS attacks by disallowing JavaScript access to cookies if HttpOnly is specified. FireFox later adopted this. So my question is: If you are using AJAX on a site, like StackOverflow, are Http-Only cookies an option? Edit 2: Question 2. If the purpose of HttpOnly is to prevent JavaScript access to cookies, and you can still retrieve the cookies via JavaScript through the XmlHttpRequest Object, what is the