How exactly do you configure httpOnlyCookies in ASP.NET?

asp.net cookies xss httponly
Teller picture Teller · Aug 29, 2008 · Viewed 105.4k times · Source

Inspired by this CodingHorror article, "Protecting Your Cookies: HttpOnly"

How do you set this property? Somewhere in the web config?

Answer

Corey McKinnon picture Corey McKinnon · Aug 29, 2008

If you're using ASP.NET 2.0 or greater, you can turn it on in the Web.config file. In the <system.web> section, add the following line:

<httpCookies httpOnlyCookies="true"/>

Related questions

How to delete cookies on an ASP.NET website

In my website when the user clicks on the "Logout" button, the Logout.aspx page loads with code Session.Clear(). In ASP.NET/C#, does this clear all cookies? Or is there any other code that needs to be added …

Read More
How to get the cookie value in asp.net website

I am creating a cookie and storing the value of username after succesfull login. How can I access the cookie when the website is opened. If the cookie exist I want to fill the username text box from the cookie …

Read More
Check if Cookie Exists

From a quick search on Stack Overflow I saw people suggesting the following way of checking if a cookie exists: HttpContext.Current.Response.Cookies["cookie_name"] != null or (inside a Page class): this.Response.Cookies["cookie_name"] != null However, when …

Read More