How exactly do you configure httpOnlyCookies in ASP.NET?

Question

Inspired by this CodingHorror article, "Protecting Your Cookies: HttpOnly"

How do you set this property? Somewhere in the web config?

score 71 · Accepted Answer · edited May 25 '14 at 06:00

71

If you're using ASP.NET 2.0 or greater, you can turn it on in the Web.config file. In the <system.web> section, add the following line:

<httpCookies httpOnlyCookies="true"/>

edited May 25 '14 at 06:00

Rashmin Javiya

5,067
3
23
46

answered Aug 28 '08 at 22:19

Corey McKinnon

1,154
11
11

1

This doesn't work for me. I tried "" and neither settings works. – rolls Jan 06 '17 at 00:19
@rolls I have the same problem. Did you find a solution or cause? – Neothor May 01 '17 at 14:04

Dillie-O · Answer 2 · 2013-07-26T23:27:00.043

10

With props to Rick (second comment down in the blog post mentioned), here's the MSDN article on httpOnlyCookies.

Bottom line is that you just add the following section in your system.web section in your web.config:

<httpCookies domain="" httpOnlyCookies="true|false" requireSSL="true|false" />

edited Jul 26 '13 at 23:27

answered Aug 28 '08 at 22:17

Dillie-O

28,071
14
93
139

8

By the way - don't actually use domain="String" - either set a valid domain or leave that attribute out. – Jon Galloway Dec 10 '11 at 01:37
@Dillie-O what can cause this element to be locked? when i set it in my web.config file, i get the following error "the element httpcookies has been locked in a higher level configuration" – StackTrace Nov 07 '16 at 14:01
@StackTrace - You might check your machine.config file on the server itself to see if that has a setting that has locked things. – Dillie-O Nov 07 '16 at 15:55

score 9 · Answer 3 · answered Aug 29 '08 at 02:48

If you want to do it in code, use the System.Web.HttpCookie.HttpOnly property.

This is directly from the MSDN docs:

// Create a new HttpCookie.
HttpCookie myHttpCookie = new HttpCookie("LastVisit", DateTime.Now.ToString());
// By default, the HttpOnly property is set to false 
// unless specified otherwise in configuration.
myHttpCookie.Name = "MyHttpCookie";
Response.AppendCookie(myHttpCookie);
// Show the name of the cookie.
Response.Write(myHttpCookie.Name);
// Create an HttpOnly cookie.
HttpCookie myHttpOnlyCookie = new HttpCookie("LastVisit", DateTime.Now.ToString());
// Setting the HttpOnly value to true, makes
// this cookie accessible only to ASP.NET.
myHttpOnlyCookie.HttpOnly = true;
myHttpOnlyCookie.Name = "MyHttpOnlyCookie";
Response.AppendCookie(myHttpOnlyCookie);
// Show the name of the HttpOnly cookie.
Response.Write(myHttpOnlyCookie.Name);

Doing it in code allows you to selectively choose which cookies are HttpOnly and which are not.

score 3 · Answer 4 · edited Sep 15 '16 at 13:01

3

Interestingly putting <httpCookies httpOnlyCookies="false"/> doesn't seem to disable httpOnlyCookies in ASP.NET 2.0. Check this article about SessionID and Login Problems With ASP .NET 2.0.

Looks like Microsoft took the decision to not allow you to disable it from the web.config. Check this post on forums.asp.net

edited Sep 15 '16 at 13:01

Stacked

5,676
5
52
69

answered Apr 21 '09 at 01:57

Matthew Lock

11,495
11
84
122

How exactly do you configure httpOnlyCookies in ASP.NET?

4 Answers4

Linked