Scott Hanselman's Computer Zen - HttpOnly Cookies on ASP.NET 1.1

First time here? Check out the site's "greatest hits" or read a post from the archives. Feel free to leave a comment or ask a question, and consider subscribing to the latest posts via RSS or e-mail. Thanks for visiting!

« Presentation Tips PPT | Main | Introducing WatirMaker - Recording for R... »

HttpOnly Cookies on ASP.NET 1.1

Posted in ASP.NET.

Internet Explorer 6 SP1 supports an extra "HttpOnly" cookie attribute, that prevents client-side script from accessing the cookie via the document.cookie property. Cookies still round trip.

The value of this property is questionable since any sniffer or Fiddler could easily remove it. That said, it could slow down the average script kiddie for 15 seconds.

You can do it a few ways. I added this to the Global.asax and catch all the cookies on the way out the door. You could choose to do this to specific cookies if you like.

protected void Application_EndRequest(Object sender, EventArgs e)

    foreach(string cookie in Response.Cookies)

        const string HTTPONLY = ";HttpOnly";

        string path = Response.Cookies[cookie].Path;

        if (path.EndsWith(HTTPONLY) == false)

            //force HttpOnly to be added to the cookie

            Response.Cookies[cookie].Path += HTTPONLY;

Of course, ASP.NET 2.0 can do all this for you via a Web.config setting.

SILLY GOTCHA: If you do this in your ASP.NET 1.1 app and then run your 1.1 app under 2.0 without changes, be aware that ASP.NET 2.0 will blindly append ANOTHER HttpOnly after every cookie giving you the value TWICE. You'll then need to turn if off in web.config as your code would be handling it.

Posted at 2005-07-21 10:52 AM by Scott
Comments [6]
Permalink

Tracked by:
Daniel Fisher(lennybacon) on C# and .Net from Wuppertal [Trackback]
"RE: httpOnly cookies in ASP.NET 1.1" (Daniel Fisher(lennybacon) on C# and .Net ... [Trackback]
"“HttpOnly Cookies on ASP.NET 1.1″ - A little added security" (Capta... [Trackback]
"Cookies, Sistemas Distribu" (Rui Quintino) [Trackback]
"HTTP - Set-Cookie - HttpOnly" (Good news everyone!) [Trackback]
"How to force all cookies to Secure under ASP.NET 1.1" (Scott Hanselman's Comput... [Trackback]

Thursday, July 21, 2005 10:24:51 PM (Pacific Standard Time, UTC-08:00)

"That said, it could slow down the average script kiddie for 15 seconds"

to what kind of attack/threat are you referring here??
which sniffer will remove that on a XSS victim's PC?

dominick

dominick

Friday, July 22, 2005 5:32:28 AM (Pacific Standard Time, UTC-08:00)

What about doin' it all in the code to have no need to hassle with versions or touching config files.

protected void Application_EndRequest(Object sender, EventArgs e)
{
if(System.Environment.Version.Major<2)
{
foreach(string cookie in Response.Cookies)
{
const string HTTPONLY = ";HttpOnly";
string path = Response.Cookies[cookie].Path;
if (path.EndsWith(HTTPONLY) == false)
{
//force HttpOnly to be added to the cookie
Response.Cookies[cookie].Path += HTTPONLY;
}
}
}
}