ASP MVC 3 cookie losing HttpOnly and Secure flags

Asked 27/2, 2013 at 18:56 Answered 27/2, 2013 at 21:28

Solved asp.net-mvc cookies https httponly

I am setting cookies as part of my mvc application:

var cookie = new HttpCookie(CookieName, encryptedData)
            {
                Path = FormsAuthentication.FormsCookiePath,
                Domain = CookieDomain,
                Expires = authenticationTicket.Expiration,
                HttpOnly = true,
                Secure = IsSecure // true
            };
            response.Cookies.Add(cookie);

Now if I debug I see that its all working fine, no problems and its added and thats fine too. However for some reason when it actually reaches the browser there is no HttpOnly flag or Secure flag set. So im a bit baffled...

I have tried setting the HttpOnly and Secure flags in the cookie web.config entry under System.Web:

<httpCookies httpOnlyCookies="true" requireSSL="true" />

Now here is how the response looks when the browser receives it:

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: application/json; charset=utf-8
Server: Microsoft-IIS/7.5
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Max-Age: 10000
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: content-type, x-requested-with, *
Access-Control-Allow-Origin: http://localhost:34567
X-AspNetMvc-Version: 3.0
X-AspNet-Version: 4.0.30319
Set-Cookie: myCookie=53BA8AF84835A81E014B9174329D8543FBB6029B71C463C6FC1305D9F966F28EAA058FE103325C0F10A3012480FB0EF3F6C0BAC4703A6A6B725F383ADA35A5C125A0438FC42CADCB0DAB77953C967E6660E51C4113C6545220A0C2F86230F446D159D523BBE9CA4D9419A67BC44D23B9C4D0974DF2ED66C47EA7308D8E42E1C2280EA6059A23303E3BCBDF28F6BD4A3DFA92FFAB33DDAC8EC05D99310D26FBD6310252156CD28B89386B0D483D6D2E295EF33487E64468655371CC446E0B5DDBF12B3AA8218AF1FA929A98638A1AC729BA60815B86EAD9624ED1787172B585BE4E457C3568AB6EAAF4865E8468D04336FA7340AAC1BA75162FB322D436DC9BF50466F2F0FB3464ECF41C6C1F7001639DFE2AB2AD9CBFB65A292FE5FA42783DF331AA4641432647BA9672FE6D4C15F830E4DF8B38605852BCB15E5B01B862D966E2FD1D620730312982DB8AB4CE5EE0D0E40E6C3F5234DE5EBFA594036D912F07C3798ED429A2552AD6C4B9EC10B90749850CBDEC97F0BF7E2E43CB3991608C5D533B6EA9F8D0A7AD949B42CD3BAA13DEE99C330121B3D868B412A3435FA01C7F223641CFE441A2E07F5DFB8B23F053CBA13F5E1262A07FBFD4EC4BADF9BD5898; expires=Wed, 27-Feb-2013 19:15:24 GMT; path=/
Date: Wed, 27 Feb 2013 18:45:24 GMT
Content-Length: 2

So am I missing something here? or is there something that I am not setting somewhere that I should be? I am also using CORS because this cookie is issued from a webserver as an authentication mechanism. SSL is enabled and is also being used via https for calls. Even if I turn secure cookies off and use http, the HTTPOnly flag is not being set either, so I am baffled.

=== Update ===

Having double checked it appears I misinformed you, the HttpOnly response is sent down from the server correctly on the first time you receive the cookie, HOWEVER! when an ajax call then sends the cookie to the server it seems to not add the httponly flag, which then means the cookie being thrown around is no longer as secure. The secure part of the cookie is not sent down on the first response, but at least this adds a bit more context to it all.

Nutter answered 27/2, 2013 at 18:56 Comment(0)

Try this, looks like a similar issue. (How can I set the Secure flag on an ASP.NET Session Cookie?)

In the <system.web> element, add the following element:
<httpCookies requireSSL="true" />
However, if you have a <forms> element in your system.web\authentication block, then this will override the setting in httpCookies, setting it back to the default false.

In that case, you need to add the requireSSL="true" attribute to the forms element as well.

So you will end up with:
<system.web>
  <authentication mode="Forms">
    <forms requireSSL="true">
        /* forms content */
    </forms>
  </authentication>
</system.web>

Arse answered 27/2, 2013 at 19:1 Comment(5)

Thanks will give it a go, this wont effect the HttpOnly though will it? or does that need to be set on forms or something too? I find it odd if this does work as im MANUALLY setting this per cookie, so I dont know why it would not accept the details entered. – Nutter 27/2, 2013 at 19:26

The forms bit wont work, just tells me the web.config is not valid but the documentation wont load on MSDN, so not entirely sure if there is some required child elements. – Nutter 27/2, 2013 at 19:55

Although this wasnt the answer to my question, I am sure most people coming here will need the solution you list above, so will mark you as the answer. – Nutter 28/2, 2013 at 14:5

Sorry Ive been away from my machine since posting this. I will check your post out now. Interesting issue.... – Arse 28/2, 2013 at 14:37

If I add forms under system.web, I get this error: The element 'system.web' has invalid child element 'forms'. – Rubicon 30/7, 2014 at 17:57

It seems like this is all correct behaviour, I wrote another question specifically about the httponly client cookie behaviour, and that led to another post... what a rabbit hole.

What should be the correct behaviour of browser when sending and receiving httponly cookie via ajax?

Anyway that seems to indicate the server needs to keep tampering with the cookie to add the HttpOnly behaviour.

I have made a custom httpmodule which will check for the cookie in question and re-apply the desired behaviour to the cookie (based on configurations from the web.config)

Nutter answered 27/2, 2013 at 21:28 Comment(1)

Why did you accept an answer and include your own? – Happiness 18/4, 2022 at 19:44

Recommended topics

Hot tags