Using IIS Rewrite to add HttpOnly Flag To Cookies Not Working - McMap

About

Using IIS Rewrite to add HttpOnly Flag To Cookies Not Working

Asked 4/9, 2014 at 23:28 Answered 4/9, 2014 at 23:28

iis cookies url-rewriting httponly

I

1

18

I found numerous examples of adding the HttpOnly to my cookies but it does not work for me and I am not sure why. All the examples I found were the same and I copied this one from one of the posts that I had found. I am using .NET 3.5 under IIS 7.0. Hopefully someone can tell me what I am doing wrong? Thanks

<rewrite>
  <outboundRules>
    <rule name="Add HttpOnly" preCondition="No HttpOnly">
      <match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
      <action type="Rewrite" value="{R:0}; HttpOnly" />
      <conditions>
      </conditions>
    </rule>
    <preConditions>
      <preCondition name="No HttpOnly">
        <add input="{RESPONSE_Set_Cookie}" pattern="." />
        <add input="{RESPONSE_Set_Cookie}" pattern="; HttpOnly" negate="true" />
      </preCondition>
    </preConditions>
  </outboundRules>
</rewrite>

UPDATE

I figured out how to turn on tracing and found that the preCondition is looking at all the cookies as a whole instead of each individual cookie.

So instead of evaluating

Set-Cookie: myC5=we have S Cookie; path=/; secure
Set-Cookie: myC6=we have S Cookie; path=/; secure
Set-Cookie: myC7=we have S Cookie; path=/; secure; HttpOnly

It is evaluating

myC5=we have S Cookie; path=/; secure,myC6=we have S Cookie; path=/; secure,myC7=we have S Cookie; path=/; secure; HttpOnly

Since the whole string has ; HttpOnly in it, the preCondition fails.

How do I get past this? Any ideas?

Illbred answered 4/9, 2014 at 23:28 Comment(1)

It's perfectly acceptable to answer your own question you know? – Galle 2/10, 2015 at 9:45

G

27

I finally got pass this so I wanted to post for others that might run into this. I removed my preConditions and just used conditions. I then had to use the back reference to get to the single cookie.

    <rewrite>
        <outboundRules>
            <rule name="Add HttpOnly">
                <match serverVariable="RESPONSE_Set_Cookie" pattern=".+" />
                <conditions>
                    <add input="{R:0}" pattern="; HttpOnly" negate="true" />
                </conditions>
                <action type="Rewrite" value="{R:0}; HttpOnly" />
            </rule>
            <rule name="Add Secure">
                <match serverVariable="RESPONSE_Set_Cookie" pattern=".+" />
                <conditions>
                    <add input="{R:0}" pattern="; Secure" negate="true" />
                </conditions>
                <action type="Rewrite" value="{R:0}; Secure" />
            </rule>
        </outboundRules>
    </rewrite>

Hope this helps someone in the future.

Galle answered 4/9, 2014 at 23:28 Comment(4)

Added answer as OP seems to no longer be active on SO, made wiki – Galle 2/10, 2015 at 9:47

Tested on IIS 7.5 Server 2008 R2 ASP Classic works fine. Many other examples seemed to be close but this answer works as it should. – Noles 27/1, 2016 at 22:40

I think the pattern in the match section needs to be ".+" instead of ".*" - otherwise, empty cookies are created on pages that aren't setting cookies. – Spacecraft 10/12, 2018 at 5:44

This saved my from hitting my head against the wall. Cheers! – Mckeever 16/8, 2023 at 17:15

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.