ASP.NET HttpOnly cookie in web.config not working

About

Asked 30/11, 2012 at 16:47 Answered 30/11, 2012 at 16:47

asp.net cookies httponly cookie-httponly

From everything I've read online, a web.config like this should enable HttpOnly cookies, in ASP.NET 2.0. However this is not working.

<configuration>
<system.web>
    <httpCookies httpOnlyCookies="true" />
</system.web>
...
</configuration>

Is there something else I'm missing? I've seen many posts on this subject, but the cookies will not show up as HttpOnly (or secure, if I add the requireSSL="true" to the tag).

I'm using IIS 7.0.

Edit:

I'm trying to set this in the web.config at the root level to cover all cookies. I'm looking at the cookies in Firebug on the ASP page and the 'HttpOnly' section that should have green text saying 'HttpOnly' is empty for some of them.

Example:

enter image description here

Gunderson answered 30/11, 2012 at 16:47 Comment(9)

This is the required setting .Could you please share where you are creating your cookie and How did you check that this not working? – Fillagree 30/11, 2012 at 17:27

Other cookies are generated by default and not governed by our custom cookie setting rules. – Fillagree 30/11, 2012 at 18:7

I think the one cookie that shows HttpOnly was actually picked up from another part of the site. When I reopened Firefox it no longer shows that. So I'm back to not having the web.config working correctly. – Gunderson 30/11, 2012 at 19:3

I think we are taking wrong direction here,once you have set your cookie then after sometime it will destroyed and a new cookie gets created if it is not marked as persistent cookie, so if you reopen the browser again and make a request. you will not be able to set the cookie again till the time it expires – Fillagree 30/11, 2012 at 19:50

Well I think the problem is that the cookie is never being written as HttpOnly in the first place. For some reason the ASP.NET_SessionID is HttpOnly, and I think this is some kind of ASP.NET default--not something I'm doing as shown by the others not being HttpOnly. – Gunderson 30/11, 2012 at 22:36

about aspnet_sessionid..#2247643 – Fillagree 1/12, 2012 at 3:0

you have not shared the code as where you are creating cookie in your project. refer this #34029 – Fillagree 1/12, 2012 at 3:1

CodeSpread, thank you for the links. The second link is what I found and how I'm trying to implement this (through the web config). From my screenshot, do you what the cookies mean that start out 'ASPSESSIONIDsomeRandomString'? I have not posted any code because I inherited this project, so 1) I don't know where all the cookies are, and 2) there are dozens of applications in this project folder, so there are many many places cookies could be created. Thank you for your help. – Gunderson 3/12, 2012 at 19:21

Did you figure this out? – Clown 6/1, 2017 at 0:12

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags