5

From everything I've read online, a web.config like this should enable HttpOnly cookies, in ASP.NET 2.0. However this is not working.

<configuration>
<system.web>
    <httpCookies httpOnlyCookies="true" />
</system.web>
...
</configuration>

Is there something else I'm missing? I've seen many posts on this subject, but the cookies will not show up as HttpOnly (or secure, if I add the requireSSL="true" to the tag).

I'm using IIS 7.0.

Edit:

I'm trying to set this in the web.config at the root level to cover all cookies. I'm looking at the cookies in Firebug on the ASP page and the 'HttpOnly' section that should have green text saying 'HttpOnly' is empty for some of them.

Example:

enter image description here

Shadow The Vaccinated Wizard
  • 62,584
  • 26
  • 129
  • 194
jmosesman
  • 706
  • 1
  • 11
  • 23
  • This is the required setting .Could you please share where you are creating your cookie and How did you check that this not working? – CodeSpread Nov 30 '12 at 17:27
  • Thanks for the reply. Please look at my edit. – jmosesman Nov 30 '12 at 18:04
  • 1
    Other cookies are generated by default and not governed by our custom cookie setting rules. – CodeSpread Nov 30 '12 at 18:07
  • I think the one cookie that shows HttpOnly was actually picked up from another part of the site. When I reopened Firefox it no longer shows that. So I'm back to not having the web.config working correctly. – jmosesman Nov 30 '12 at 19:03
  • 1
    I think we are taking wrong direction here,once you have set your cookie then after sometime it will destroyed and a new cookie gets created if it is not marked as persistent cookie, so if you reopen the browser again and make a request. you will not be able to set the cookie again till the time it expires – CodeSpread Nov 30 '12 at 19:50
  • Well I think the problem is that the cookie is never being written as HttpOnly in the first place. For some reason the ASP.NET_SessionID is HttpOnly, and I think this is some kind of ASP.NET default--not something I'm doing as shown by the others not being HttpOnly. – jmosesman Nov 30 '12 at 22:36
  • about aspnet_sessionid..http://stackoverflow.com/questions/2247143/how-is-httponly-get-set-for-asp-net-sessionid-cookie – CodeSpread Dec 01 '12 at 03:00
  • you have not shared the code as where you are creating cookie in your project. refer this http://stackoverflow.com/questions/33529/how-exactly-do-you-configure-httponlycookies-in-asp-net – CodeSpread Dec 01 '12 at 03:01
  • CodeSpread, thank you for the links. The second link is what I found and how I'm trying to implement this (through the web config). From my screenshot, do you what the cookies mean that start out 'ASPSESSIONIDsomeRandomString'? I have not posted any code because I inherited this project, so 1) I don't know where all the cookies are, and 2) there are dozens of applications in this project folder, so there are many many places cookies could be created. Thank you for your help. – jmosesman Dec 03 '12 at 19:21
  • 1
    Did you figure this out? – rolls Jan 06 '17 at 00:12

0 Answers0