ASP.NET HttpOnly cookie in web.config not working

asp.net cookies httponly cookie-httponly
jmosesman picture jmosesman · Nov 30, 2012 · Viewed 18.3k times · Source

From everything I've read online, a web.config like this should enable HttpOnly cookies, in ASP.NET 2.0. However this is not working.

<configuration>
<system.web>
    <httpCookies httpOnlyCookies="true" />
</system.web>
...
</configuration>

Is there something else I'm missing? I've seen many posts on this subject, but the cookies will not show up as HttpOnly (or secure, if I add the requireSSL="true" to the tag).

I'm using IIS 7.0.

Edit:

I'm trying to set this in the web.config at the root level to cover all cookies. I'm looking at the cookies in Firebug on the ASP page and the 'HttpOnly' section that should have green text saying 'HttpOnly' is empty for some of them.

Example:

enter image description here

Answer

Related questions

How exactly do you configure httpOnlyCookies in ASP.NET?

Inspired by this CodingHorror article, "Protecting Your Cookies: HttpOnly" How do you set this property? Somewhere in the web config?

Read More
How do you remove HttpOnly cookies?

If my application places HttpOnly cookies on a client and then needs to remove them how can you remove them completely?

Read More
How to delete cookies on an ASP.NET website

In my website when the user clicks on the "Logout" button, the Logout.aspx page loads with code Session.Clear(). In ASP.NET/C#, does this clear all cookies? Or is there any other code that needs to be added …

Read More