“HttpOnly Cookies on ASP.NET 1.1″ - a little added security

« What happened to 30 KB? | Home | Testing sites in old browsers »

“HttpOnly Cookies on ASP.NET 1.1″ - a little added security

Scott Hanselman has a good post today about the HttpOnly cookie attribute. It secures the cookie from access via the DOM. “The value of this property is questionable since any sniffer or Fiddler could easily remove it. That said, it could slow down the average script kiddie for 15 seconds.”

Read Scott’s full blog entry.

Here’s the meat-and-potatoes of what Scott came up with; it’s for your global.asax:

protected void Application_EndRequest(Object sender, EventArgs e)
{
    foreach(string cookie in Response.Cookies)
    {
        const string HTTPONLY = ";HttpOnly";
        string path = Response.Cookies[cookie].Path;
        if (path.EndsWith(HTTPONLY) == false)
        {
            //force HttpOnly to be added to the cookie
            Response.Cookies[cookie].Path += HTTPONLY;
        }
    }
}

Friday, 22 July 2005 14:01:58 (Eastern Daylight Time, UTC-04:00)

Comments [0] - Trackback

OpenID
Please login with either your OpenID above, or your details below.

Name *
E-mail	(will show your gravatar icon)
Home page

	Remember Me
Comment (HTML not allowed)
Enter the code shown (prevents robots):
Live Comment Preview

Jay Harris is Cpt. LoadTest

“HttpOnly Cookies on ASP.NET 1.1″ - a little added security

Jay Harris

Tags

Archive

License

Disclaimer

Administration

Powered By

Theme