ASP 101 - Active Server Pages 101 - Web06
The Place ASP Developers Go!

Please visit our partners

Windows Technology Windows Technology
15 Seconds
ASP 101
ASP Wire
VB Forums
VB Wire
internet.commerce internet.commerce
Partners & Affiliates

ASP 101 is an site
ASP 101 is an site
Internet News
Small Business
Personal Technology

Corporate Info
Tech Jobs
E-mail Offers

ASP 101 News Flash ASP 101 News Flash

 Top ASP 101 Stories Top ASP 101 Stories
What is and Why Do I Need It?
An Overview of ASP.NET
Connections, Commands, And Procedures

Use variables to speed up collection access
Show All Tips >>
ASP 101 RSS Feed ASP 101 Updates

Quick Tips

Help Stop Cross-Site Scripting Attacks with HttpOnly Cookies

Did you know that there's a simple little change you can make in the way you handle cookies that can help prevent your users from falling victim to a cross-site scripting attack? Implementing HttpOnly cookies is quick, easy, and goes a long way towards making your application safer for everyone.

HttpOnly cookies behave exactly like regular cookies with one important difference: they cannot be accessed by client-side script running in the user's browser. This doesn't seem like a big difference until you realize that many cross-site scripting exploits depend on this very capability.

As long as you're running .NET 2.0 or higher, you can enable HttpOnly cookies in a couple different ways. The easiest is to simply edit your application's Web.config file. Setting the value of the httpOnlyCookies attribute of the httpCookies element to true will convert all the cookies your application sends to the HttpOnly flavor.

    <httpCookies httpOnlyCookies="true" />

You can also do the same thing for individual cookies that you set via code. It couldn't be much easier as you can see in the following listing:

    Dim myCookie As HttpCookie
    myCookie = New HttpCookie("LastVisit", DateTime.Now.ToString())
    myCookie.HttpOnly = True

Now for the bad news: HttpOnly cookies only work in relatively new browsers. Older browsers will either treat them as regular cookies or ignore them altogether. If you happen to have a user base which is particularly behind the times, you'll need to do some testing to see how your application behaves in their browser(s) of choice.

For more information, you may find the following links useful:

Update: HttpOnly Cookies in ASP.NET 1.x and Classic ASP

I've gotten a number of email from users anxious to use HttpOnly cookies in their legacy Web projects. Rest assured, you can get the same HttpOnly functionality regardless of your server side tool of choice... it's just takes a little more work.

For those of you using ASP.NET 1.x, try this code:

    Dim myCookie As HttpCookie
    myCookie = New HttpCookie("LastVisit", DateTime.Now.ToString())
    myCookie.Path += "; HttpOnly"

It's a little bit of a hack, but it should work in most cases. The only situation I can think of that might cause a problem is if your cookies are flagged as secure.

In classic ASP it's a little more difficult. You can't really use the Cookie object to accomplish the task, so you'll need to resort to brute force and use the Response.AddHeader method to set the cookie.

    Response.AddHeader "Set-Cookie", "CookieName=CookieValue; path=/; HttpOnly"

As you can see, HttpOnly cookies aren't just for developers lucky enough to be using the latest version of ASP.NET. With a few tweaks you can use you can use them with whichever server-side technology you prefer.

Previous      Show All Tips      Next

If you have a tip you would like to submit, please send it to:

Home |  News |  Samples |  Articles |  Lessons |  Resources |  Forum |  Links |  Search |  Feedback
The Network for Technology Professionals



Legal Notices, Licensing, Permissions, Privacy Policy.
Advertise | Newsletters | E-mail Offers