Scott Hanselman

HttpOnly Cookies on ASP.NET 1.1

July 21, '05 Comments [6] Posted in ASP.NET
Sponsored By

Internet Explorer 6 SP1 supports an extra "HttpOnly" cookie attribute, that prevents client-side script from accessing the cookie via the document.cookie property. Cookies still round trip.

The value of this property is questionable since any sniffer or Fiddler could easily remove it. That said, it could slow down the average script kiddie for 15 seconds.

You can do it a few ways. I added this to the Global.asax and catch all the cookies on the way out the door. You could choose to do this to specific cookies if you like.

protected void Application_EndRequest(Object sender, EventArgs e)
{
    foreach(string cookie in Response.Cookies)
    {
        const string HTTPONLY = ";HttpOnly";
        string path = Response.Cookies[cookie].Path;
        if (path.EndsWith(HTTPONLY) == false)
        {
            //force HttpOnly to be added to the cookie
            Response.Cookies[cookie].Path += HTTPONLY;
        }
    }
}

Of course, ASP.NET 2.0 can do all this for you via a Web.config setting.

SILLY GOTCHA: If you do this in your ASP.NET 1.1 app and then run your 1.1 app under 2.0 without changes, be aware that ASP.NET 2.0 will blindly append ANOTHER HttpOnly after every cookie giving you the value TWICE. You'll then need to turn if off in web.config as your code would be handling it.

<httpCookies httpOnlyCookies="false" requireSSL="false" domain="" />

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

Presentation Tips PPT

July 20, '05 Comments [7] Posted in Musings
Sponsored By

MoreTipsA while back I posted some Presentation Tips. I will update them one day as I've learned oodles since then.

However, for the CodeCamp this weekend (surely you're going...) I've been asked to give a Presentation Skills Workshop.

That's a tall order, as everyone has their opinion about what makes a good or bad presentation. At any rate, here's the PPT I'm going to use during my talk.

Hanselman Presentation Tips.zip (1430 KB)

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

Adding Custom UserControls to DasBlog

July 19, '05 Comments [1] Posted in ASP.NET | DasBlog | TechEd | Speaking
Sponsored By

Even though the soon-to-come DasBlog 1.8 will include support for Custom Macros, you CAN get custom functionality now with this existing macro:

<%newtelligence.aspnetcontrol("TechEdBloggersFeed.ascx")%>

This will load the specified ASCX control into the page at this location. The code-behind can be in another (non-DasBlog) assembly.

This won't give you access to the DasBlog DataService, that's what the new Custom Macro support does. Still, pretty slick, and a good reminder from Michael Earls.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

Microsoft Update versus Windows Update

July 19, '05 Comments [7] Posted in Musings
Sponsored By

Sigh, well apparently no one in Microsoft marketing remembers the chaos caused (and still caused) by multiple versions of Windows Messenger versus Microsoft Messenger versus MSN Messenger. And it was only a year ago.

MicrosoftUpdate

Well, anyway, you can switch your system over to Microsoft Update (I have) by visiting http://update.microsoft.com/microsoftupdate. Of course, switch only your personal computer unless your IT department has OK'ed this, yada yada. Looks like a new ActiveX control will be downloaded and you'll have Office Updates included within your Automatic BITS Updates. Shiny.

WindowsUpdate

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

Visual Studio Command Prompt Here and Search Unknown File Extensions

July 16, '05 Comments [4] Posted in ASP.NET | Web Services | Bugs | Tools
Sponsored By

I found myself searching my own blog for these three things today to set up another machine for development. Here they are so *I* can find them.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.