2


I have a problem with creating HttpOnly Cookies , I use the following code to creat new cookie: 

 //A.aspx HttpCookie ht = new HttpCookie("www"); ht.Value = "www"; ht.Name = "www"; ht.HttpOnly = true; ht.Expires = DateTime.Now.AddDays(1); Response.AppendCookie(ht); Response.Redirect("B.aspx"); //B.aspx HttpCookie cookie = Request.Cookies["Allowed"]; HttpCookie htt = Request.Cookies["www"]; if (cookie != null) { Response.Write(cookie.HttpOnly); Response.Write(htt.HttpOnly); } else { cookie = new HttpCookie("Allowed"); cookie.HttpOnly = true; cookie.Value = "ping"; cookie.Expires = DateTime.Now.AddMinutes(2); Response.Cookies.Add(cookie); Response.Write(cookie.HttpOnly); Response.Write(htt.HttpOnly); }

The problem is that the final result is always : False, although the HttpOnly property is set to True .
Can anyone explain me a way to figure this out ?
Thanx

Improve this question

1 Answer 1

Reset to default
4

Cookie parameters (expiration date, path, HttpOnly etc) are not sent back to the server by the browser, only the values. Sending them back would only introduce unnecessary bloat. Therefore the cookies in Request.Cookies will only contain the names and values.

If you want to see if your HttpOnly value is taking effect, use Firecookie or something similar to inspect the cookies. Or try accessing them in JavaScript - that's what it's supposed to prevent.

Improve this answer
Sign up to request clarification or add additional context in comments.

7 Comments

@Matti Virkkunen, But if I need to distinguish between httpOnly and regular cookies in my page what I should do ? And how can I access httpOnly cookies in javascript since it is httpOnly ?!
@Israa: Why do you need to distinguish between HttpOnly and not HttpOnly on the server side? It doesn't make any sense. If you really need to do so, keep a list of cookie names that are HttpOnly on the server and use that to find out which cookie is which.
@Matti Virkkunen : I need to do so because I will save a value in cookie and check if this cookie exist, if so the page will retern some data, therefore I need to know if it is HttpOnly because anyone could make a cookie with the same name and get the data returned.
@Israa: You do realize that if I have full control over the HTTP client (which I, as the user, do) I can send your server any made up cookies I wish, right? Even if there was a flag that tells your server it's "HttpOnly", I could just set that as well. You need to come up with another way of securing your data.
Thanks , well I guess there is no way to secure my data then :D
|

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.