ASP MVC 3 cookie losing HttpOnly and Secure flags

Grofit picture Grofit · Feb 27, 2013 · Viewed 14.4k times · Source

I am setting cookies as part of my mvc application:

var cookie = new HttpCookie(CookieName, encryptedData)
            {
                Path = FormsAuthentication.FormsCookiePath,
                Domain = CookieDomain,
                Expires = authenticationTicket.Expiration,
                HttpOnly = true,
                Secure = IsSecure // true
            };
            response.Cookies.Add(cookie);

Now if I debug I see that its all working fine, no problems and its added and thats fine too. However for some reason when it actually reaches the browser there is no HttpOnly flag or Secure flag set. So im a bit baffled...

I have tried setting the HttpOnly and Secure flags in the cookie web.config entry under System.Web:

<httpCookies httpOnlyCookies="true" requireSSL="true" />

Now here is how the response looks when the browser receives it:

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: application/json; charset=utf-8
Server: Microsoft-IIS/7.5
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Max-Age: 10000
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: content-type, x-requested-with, *
Access-Control-Allow-Origin: http://localhost:34567
X-AspNetMvc-Version: 3.0
X-AspNet-Version: 4.0.30319
Set-Cookie: myCookie=53BA8AF84835A81E014B9174329D8543FBB6029B71C463C6FC1305D9F966F28EAA058FE103325C0F10A3012480FB0EF3F6C0BAC4703A6A6B725F383ADA35A5C125A0438FC42CADCB0DAB77953C967E6660E51C4113C6545220A0C2F86230F446D159D523BBE9CA4D9419A67BC44D23B9C4D0974DF2ED66C47EA7308D8E42E1C2280EA6059A23303E3BCBDF28F6BD4A3DFA92FFAB33DDAC8EC05D99310D26FBD6310252156CD28B89386B0D483D6D2E295EF33487E64468655371CC446E0B5DDBF12B3AA8218AF1FA929A98638A1AC729BA60815B86EAD9624ED1787172B585BE4E457C3568AB6EAAF4865E8468D04336FA7340AAC1BA75162FB322D436DC9BF50466F2F0FB3464ECF41C6C1F7001639DFE2AB2AD9CBFB65A292FE5FA42783DF331AA4641432647BA9672FE6D4C15F830E4DF8B38605852BCB15E5B01B862D966E2FD1D620730312982DB8AB4CE5EE0D0E40E6C3F5234DE5EBFA594036D912F07C3798ED429A2552AD6C4B9EC10B90749850CBDEC97F0BF7E2E43CB3991608C5D533B6EA9F8D0A7AD949B42CD3BAA13DEE99C330121B3D868B412A3435FA01C7F223641CFE441A2E07F5DFB8B23F053CBA13F5E1262A07FBFD4EC4BADF9BD5898; expires=Wed, 27-Feb-2013 19:15:24 GMT; path=/
Date: Wed, 27 Feb 2013 18:45:24 GMT
Content-Length: 2

So am I missing something here? or is there something that I am not setting somewhere that I should be? I am also using CORS because this cookie is issued from a webserver as an authentication mechanism. SSL is enabled and is also being used via https for calls. Even if I turn secure cookies off and use http, the HTTPOnly flag is not being set either, so I am baffled.

=== Update ===

Having double checked it appears I misinformed you, the HttpOnly response is sent down from the server correctly on the first time you receive the cookie, HOWEVER! when an ajax call then sends the cookie to the server it seems to not add the httponly flag, which then means the cookie being thrown around is no longer as secure. The secure part of the cookie is not sent down on the first response, but at least this adds a bit more context to it all.

Answer

LiamB picture LiamB · Feb 27, 2013

Try this, looks like a similar issue. (How can I set the Secure flag on an ASP.NET Session Cookie?)

In the <system.web> element, add the following element:

<httpCookies requireSSL="true" />

However, if you have a <forms> element in your system.web\authentication block, then this will override the setting in httpCookies, setting it back to the default false.

In that case, you need to add the requireSSL="true" attribute to the forms element as well.

So you will end up with:

<system.web>
  <authentication mode="Forms">
    <forms requireSSL="true">
        /* forms content */
    </forms>
  </authentication>
</system.web>