Setting session cookie to HttpOnly

c# asp.net asp.net-mvc session cookies
12,947

Session Cookie will always be httponly. You cannot modify or override it.

when I retrieve the session cookie - it is not HttpOnly (its HttpCookie.HttpOnly property is set false).

var cookie = Request.Cookies["ASP.Net_SessionId"];
if (cookie != null)
{
    var httpOnly = cookie.HttpOnly; // <-- This is always false
}

HttpOnly value is always false at server-side, because client browser does not send back to server whether cookie is in httponly or not.

How can I verify

You can use cookie editor such as Chrome Plugin EditThisCookie.

enter image description here

Share:
12,947
Dragomok
Author by

Dragomok

Left-handed IT professional working in whatever is currently needed (Java, Android, HTML/JavaScript/CSS, C#, PHP, horrifying MS Access legacy code, T-SQL, ...). Also, a muddy ball of outlier beliefs, varied personal interests and poor communication skills.

Updated on June 28, 2022

Comments

  • Dragomok
    Dragomok almost 2 years

    I am developing an ASP.NET MVC server with Entity Framework 6.0. As far as I'm aware, it's set up to be compatible with EF 4.5 (<httpRuntime targetFramework="4.5" />).

    I want to ensure that the session cookie (ie. cookie that stores the session identifier) is HttpOnly, since that's an industry-wide best practice, which helps protect against Cross-Site Request Forgery attacks.

    The problem is, it's created automatically by the framework, so I can't simply change an object's property right after calling the constructor, as is the case with all the other cookies.

    In Web.config, I've set <httpCookies httpOnlyCookies="true" />, and yet - when I retrieve the session cookie - it is not HttpOnly (its HttpCookie.HttpOnly property is set false). And I don't quite know how to change that.

    I couldn't find anything in Microsoft's documentation about Web.config's <sessionState> that would change that. Here on Stack Overflow I only found a four year old question talking about how session cookie is HttpOnly by default, which is the precise opposite for me, and a five days old question asking why session cookie is not HttpOnly by default - which for some inexplicable reason was closed - without a comment - as a duplicate of the former.

    I know I can retrieve the session cookie, check it and set HttpOnly=true on every request (or do that less often with a slightly more refined/hackish filter, or set it manually on login, or...), but I'm not a blood-soaked barbarian there has to be a proper way to do this.

    So, how do I set the session cookie to HttpOnly?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

System.Web.HttpContext.Current.get returned null in asp.net mvc controller
How to store cookie permanently
HttpContext.Current.Session - NullReferenceException
Handling JWT expiration in .NET MVC-application
Get user's session ID in asp.net mvc
How to create Session Id for every Login in Asp.net MVC?
How to prevent session timeout
How to get request cookies in Web API authorization attribute?
Cookie to Expire when Browser Session Ends
MVC optimization for Session.Clear(), Session.Abandon(), Session.RemoveAll()?