How is HttpOnly get set for ASP.NET_SessionId cookie?

About

Asked 11/2, 2010 at 19:32 Answered 11/2, 2010 at 19:46

In my web project setting to turn on httpOnlyCookies is not there. It is false by default. Also there is no place in code where cookie is being set to HttpOnly. However, when I browse to the site I can see that ASP.NET_Session cookie is being passed as HttpOnly. How is it set to HttpOnly?

Caldwell answered 11/2, 2010 at 19:32 Comment(0)

ASP.NET session cookies are HTTP only, regardless of the httpOnlyCookies setting linked to in your question, because this is burned into ASP.NET. You can't override this.

If you dig into the System.Web.SessionState.SessionIDManager class in the System.Web assembly the code for creating the ASP.NET session cookie looks like:

private static HttpCookie CreateSessionCookie(string id)
{
    HttpCookie cookie = new HttpCookie(Config.CookieName, id);
    cookie.Path = "/";
    cookie.HttpOnly = true;   // <-- burned in
    return cookie;
}

Thanksgiving answered 11/2, 2010 at 19:44 Comment(9)

found documentation here: msdn.microsoft.com/en-us/library/aa480476.aspx "HttpOnly. This property specifies whether the cookie can be accessed by client script. In ASP.NET 2.0, this value is always set to true. " – Caldwell 11/2, 2010 at 19:56

@dev - I just dug into the System.Web.dll assembly to take a peek :) – Thanksgiving 11/2, 2010 at 20:1

The part right below it is important too. Older browsers do not support HttpOnly, and may either ignore the cookie or ignore the attribute, the latter still leaves your site open to XSS attacks. – Denman 11/2, 2010 at 20:2

I am confused. The documentatin at msdn.microsoft.com/en-us/library/… says that the default value is false: true if the cookie has the HttpOnly attribute and cannot be accessed through a client-side script; otherwise, false. The default is false. – Tanning 30/7, 2014 at 16:36

@Tanning - this question and answer is about session cookies, not regular cookies. Session cookies are always HTTP Only, that is burned into the framework code. – Thanksgiving 30/7, 2014 at 16:57

Thanks. That's cool. How do I set the secure flag on a cookie? I have <httpCookies httpOnlyCookies="true" requireSSL="true"/> in web.config, and even when I access my web app through https, I don't see the secure flag for the session cookie in firebug. – Tanning 30/7, 2014 at 18:0

@Tanning - see https://mcmap.net/q/143575/-how-can-i-set-the-secure-flag-on-an-asp-net-session-cookie (the answer with 54 upvotes). You'll not see anything special happen to the cookie (to the best of my knowledge), other than that the cookie will only be transmitted over SSL. – Thanksgiving 30/7, 2014 at 18:55

Thanks. I've read that thread at the link you gave. Are you saying that even with requireSSL="true" in web.config for httpCookies, we will not see in firebug the secure flag for the ASP.NET_SessionId cookie? – Tanning 30/7, 2014 at 19:5

@Tanning - I don't use Firebug so I've no idea. You can test this by seeing if your cookies arrive on a non-ssl connection. Sorry, not being much help here. I'm doing less .NET development these days so my memory is a bit vague. – Thanksgiving 30/7, 2014 at 19:44

It is HttpOnly so your session cookie cannot be modified by the client with JavaScript.

Diep answered 11/2, 2010 at 19:46 Comment(1)

Correct. I knew that part. I rephrased my question from "why" to "how is it set?" – Caldwell 11/2, 2010 at 19:53

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags