January 20, 2011
A question recently arose about how to set a cookie to be HttpOnly. An HttpOnly cookie is one that cannot be accessed through client-side script. Any information contained in an HTTP-only cookie is less likely to be disclosed to a hacker or a malicious Web site. The use of HTTP-only cookies is one of several techniques that, when used together, can mitigate the risk of cross-site scripting. Setting a cookie to be HttpOnly One way to set a cookie to be HttpOnly is to change how you define it. Rather than something like this: Response.Cookies("mycookie") = “foo”; We can do this: Response.AddHeader "Set-Cookie", "mycookie=foo; HttpOnly" Pretty simple. What about cookies you don’t create yourself? This works great for cookies that you create yourself. But what about those that are created by IIS and ASP, such as the ASPSESSION cookie? One…
Using the URL Rewrite module to set your cookies to HttpOnly
January 20, 2011
A question recently arose about how to set a cookie to be HttpOnly. An HttpOnly cookie is one that cannot be accessed through client-side script. Any information contained in an HTTP-only cookie is less likely to be disclosed to a hacker or a malicious Web site. The use of HTTP-only cookies is one of several techniques that, when used together, can mitigate the risk of cross-site scripting. Setting a cookie to be HttpOnly One way to set a cookie to be HttpOnly is to change how you define it. Rather than something like this: Response.Cookies("mycookie") = “foo”; We can do this: Response.AddHeader "Set-Cookie", "mycookie=foo; HttpOnly" Pretty simple. What about cookies you don’t create yourself? This works great for cookies that you create yourself. But what about those that are created by IIS and ASP, such as the ASPSESSION cookie? One…