Using the URL Rewrite module to set your cookies to HttpOnly

A question recently arose about how to set a cookie to be HttpOnly. An HttpOnly cookie is one that cannot be accessed through client-side script. Any information contained in an HTTP-only cookie is less likely to be disclosed to a hacker or a malicious Web site. The use of HTTP-only cookies is one of several techniques that, when used together, can mitigate the risk of cross-site scripting.

Setting a cookie to be HttpOnly

One way to set a cookie to be HttpOnly is to change how you define it.

Rather than something like this:

Response.Cookies("mycookie") = “foo”;

We can do this:

Response.AddHeader "Set-Cookie", "mycookie=foo; HttpOnly"

Pretty simple.

What about cookies you don’t create yourself?

This works great for cookies that you create yourself. But what about those that are created by IIS and ASP, such as the ASPSESSION cookie?

One approach to this is to use the Url Rewrite module in IIS7, and have it add HttpOnly to any outgoing cookies.

This is the solution that is laid out here:


  1. Install the Url Rewrite Module:
  2. Modify your web config to contain a rewrite rule:

For classic ASP apps on IIS7, if you don’t already have a web.config file, simply create one in the root directory of your web app.

That’s it. Now your outgoing cookies will be set to HttpOnly.


We can confirm this by using Fiddler to look at the Response headers:


Notice the HttpOnly keyword in the cookie.

We can also try to access the cookie via some client side Javascript:

alert('mycookie = ' + getCookie('mycookie') );

which yields:



Additional Reading

For more information on HttpOnly cookies, check out: