Internet Explorer 6 SP1 supports an extra "HttpOnly" cookie attribute, that prevents client-side script from accessing the cookie via the document.cookie property. Cookies still round trip.
The value of this property is questionable since any sniffer or Fiddler could easily remove it. That said, it could slow down the average script kiddie for 15 seconds.
You can do it a few ways. I added this to the Global.asax and catch all the cookies on the way out the door. You could choose to do this to specific cookies if you like.
protected void Application_EndRequest(Object sender, EventArgs e)
foreach(string cookie in Response.Cookies)
const string HTTPONLY = ";HttpOnly";
string path = Response.Cookies[cookie].Path;
if (path.EndsWith(HTTPONLY) == false)
//force HttpOnly to be added to the cookie
Response.Cookies[cookie].Path += HTTPONLY;
Of course, ASP.NET 2.0 can do all this for you via a Web.config setting.
SILLY GOTCHA: If you do this in your ASP.NET 1.1 app and then run your 1.1 app under 2.0 without changes, be aware that ASP.NET 2.0 will blindly append ANOTHER HttpOnly after every cookie giving you the value TWICE. You'll then need to turn if off in web.config as your code would be handling it.
<httpCookies httpOnlyCookies="false" requireSSL="false" domain="" />
Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. I am a failed stand-up comic, a cornrower, and a book author.
Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.