18

I found numerous examples of adding the HttpOnly to my cookies but it does not work for me and I am not sure why. All the examples I found were the same and I copied this one from one of the posts that I had found. I am using .NET 3.5 under IIS 7.0. Hopefully someone can tell me what I am doing wrong? Thanks

<rewrite>
  <outboundRules>
    <rule name="Add HttpOnly" preCondition="No HttpOnly">
      <match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
      <action type="Rewrite" value="{R:0}; HttpOnly" />
      <conditions>
      </conditions>
    </rule>
    <preConditions>
      <preCondition name="No HttpOnly">
        <add input="{RESPONSE_Set_Cookie}" pattern="." />
        <add input="{RESPONSE_Set_Cookie}" pattern="; HttpOnly" negate="true" />
      </preCondition>
    </preConditions>
  </outboundRules>
</rewrite>

UPDATE

I figured out how to turn on tracing and found that the preCondition is looking at all the cookies as a whole instead of each individual cookie.

So instead of evaluating

Set-Cookie: myC5=we have S Cookie; path=/; secure
Set-Cookie: myC6=we have S Cookie; path=/; secure
Set-Cookie: myC7=we have S Cookie; path=/; secure; HttpOnly

It is evaluating

myC5=we have S Cookie; path=/; secure,myC6=we have S Cookie; path=/; secure,myC7=we have S Cookie; path=/; secure; HttpOnly

Since the whole string has ; HttpOnly in it, the preCondition fails.

How do I get past this? Any ideas?

Liam
  • 22,818
  • 25
  • 93
  • 157
mrhoades
  • 181
  • 1
  • 1
  • 5
  • It's perfectly acceptable to [answer your own question](http://meta.stackexchange.com/questions/17845/etiquette-for-answering-your-own-question) you know? – Liam Oct 02 '15 at 09:45

1 Answers1

24

I finally got pass this so I wanted to post for others that might run into this. I removed my preConditions and just used conditions. I then had to use the back reference to get to the single cookie.

    <rewrite>
        <outboundRules>
            <rule name="Add HttpOnly">
                <match serverVariable="RESPONSE_Set_Cookie" pattern=".+" />
                <conditions>
                    <add input="{R:0}" pattern="; HttpOnly" negate="true" />
                </conditions>
                <action type="Rewrite" value="{R:0}; HttpOnly" />
            </rule>
            <rule name="Add Secure">
                <match serverVariable="RESPONSE_Set_Cookie" pattern=".+" />
                <conditions>
                    <add input="{R:0}" pattern="; Secure" negate="true" />
                </conditions>
                <action type="Rewrite" value="{R:0}; Secure" />
            </rule>
        </outboundRules>
    </rewrite>

Hope this helps someone in the future.

Liam
  • 22,818
  • 25
  • 93
  • 157
  • Added answer as OP seems to no longer be active on SO, made wiki – Liam Oct 02 '15 at 09:47
  • Tested on IIS 7.5 Server 2008 R2 ASP Classic works fine. Many other examples seemed to be close but this answer works as it should. – Murray W Jan 27 '16 at 22:40
  • 8
    I think the pattern in the match section needs to be ".+" instead of ".*" - otherwise, empty cookies are created on pages that aren't setting cookies. – dsmtoday Dec 10 '18 at 05:44