A question recently arose about how to set a cookie to be HttpOnly. An HttpOnly cookie is one that cannot be accessed through client-side script. Any information contained in an HTTP-only cookie is less likely to be disclosed to a hacker or a malicious Web site. The use of HTTP-only cookies is one of several techniques that, when used together, can mitigate the risk of cross-site scripting.
Setting a cookie to be HttpOnly
One way to set a cookie to be HttpOnly is to change how you define it.
Rather than something like this:
Response.Cookies("mycookie") = “foo”;
We can do this:
Response.AddHeader "Set-Cookie", "mycookie=foo; HttpOnly"
What about cookies you don’t create yourself?
This works great for cookies that you create yourself. But what about those that are created by IIS and ASP, such as the ASPSESSION cookie?
One approach to this is to use the Url Rewrite module in IIS7, and have it add HttpOnly to any outgoing cookies.
This is the solution that is laid out here: http://forums.iis.net/t/1168473.aspx
- Install the Url Rewrite Module: http://www.iis.net/download/URLRewrite
- Modify your web config to contain a rewrite rule:
For classic ASP apps on IIS7, if you don’t already have a web.config file, simply create one in the root directory of your web app.
That’s it. Now your outgoing cookies will be set to HttpOnly.
We can confirm this by using Fiddler to look at the Response headers:
Notice the HttpOnly keyword in the cookie.
alert('mycookie = ' + getCookie('mycookie') );
For more information on HttpOnly cookies, check out: