Scott Hanselman

HttpOnly Cookies on ASP.NET 1.1

July 21, '05 Comments [6] Posted in ASP.NET
Sponsored By

Internet Explorer 6 SP1 supports an extra "HttpOnly" cookie attribute, that prevents client-side script from accessing the cookie via the document.cookie property. Cookies still round trip.

The value of this property is questionable since any sniffer or Fiddler could easily remove it. That said, it could slow down the average script kiddie for 15 seconds.

You can do it a few ways. I added this to the Global.asax and catch all the cookies on the way out the door. You could choose to do this to specific cookies if you like.

protected void Application_EndRequest(Object sender, EventArgs e)
{
    foreach(string cookie in Response.Cookies)
    {
        const string HTTPONLY = ";HttpOnly";
        string path = Response.Cookies[cookie].Path;
        if (path.EndsWith(HTTPONLY) == false)
        {
            //force HttpOnly to be added to the cookie
            Response.Cookies[cookie].Path += HTTPONLY;
        }
    }
}

Of course, ASP.NET 2.0 can do all this for you via a Web.config setting.

SILLY GOTCHA: If you do this in your ASP.NET 1.1 app and then run your 1.1 app under 2.0 without changes, be aware that ASP.NET 2.0 will blindly append ANOTHER HttpOnly after every cookie giving you the value TWICE. You'll then need to turn if off in web.config as your code would be handling it.

<httpCookies httpOnlyCookies="false" requireSSL="false" domain="" />

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by ORCS Web
Friday, July 22, 2005 6:24:51 AM UTC
"That said, it could slow down the average script kiddie for 15 seconds"

to what kind of attack/threat are you referring here??
which sniffer will remove that on a XSS victim's PC?

dominick
Friday, July 22, 2005 1:32:28 PM UTC
What about doin' it all in the code to have no need to hassle with versions or touching config files.

protected void Application_EndRequest(Object sender, EventArgs e)
{
if(System.Environment.Version.Major<2)
{
foreach(string cookie in Response.Cookies)
{
const string HTTPONLY = ";HttpOnly";
string path = Response.Cookies[cookie].Path;
if (path.EndsWith(HTTPONLY) == false)
{
//force HttpOnly to be added to the cookie
Response.Cookies[cookie].Path += HTTPONLY;
}
}
}
}
Friday, July 22, 2005 1:50:01 PM UTC
I guess it's for html-script-injection-to-expose-session-id-or-stored-password attacks, e.g. for forums.
Anonymous
Friday, July 22, 2005 4:10:49 PM UTC
Daniel. Nice! I totally forgot about System.Environment. Thanks!
Friday, July 22, 2005 6:06:42 PM UTC
What's with declaring the const inside of the loop? Would it make more sense to declare it once above the foreach?
Anon
Friday, July 22, 2005 7:40:54 PM UTC
That's just me being sloppy. The JIT fixes that kind of sloppiness though.
Comments are closed.

Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.