Using IIS Rewrite to add HttpOnly Flag To Cookies Not Working

iis cookies rewrite httponly
mrhoades picture mrhoades · Sep 5, 2014 · Viewed 13.4k times · Source

I found numerous examples of adding the HttpOnly to my cookies but it does not work for me and I am not sure why. All the examples I found were the same and I copied this one from one of the posts that I had found. I am using .NET 3.5 under IIS 7.0. Hopefully someone can tell me what I am doing wrong? Thanks

<rewrite>
  <outboundRules>
    <rule name="Add HttpOnly" preCondition="No HttpOnly">
      <match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
      <action type="Rewrite" value="{R:0}; HttpOnly" />
      <conditions>
      </conditions>
    </rule>
    <preConditions>
      <preCondition name="No HttpOnly">
        <add input="{RESPONSE_Set_Cookie}" pattern="." />
        <add input="{RESPONSE_Set_Cookie}" pattern="; HttpOnly" negate="true" />
      </preCondition>
    </preConditions>
  </outboundRules>
</rewrite>

UPDATE

I figured out how to turn on tracing and found that the preCondition is looking at all the cookies as a whole instead of each individual cookie.

So instead of evaluating

Set-Cookie: myC5=we have S Cookie; path=/; secure
Set-Cookie: myC6=we have S Cookie; path=/; secure
Set-Cookie: myC7=we have S Cookie; path=/; secure; HttpOnly

It is evaluating

myC5=we have S Cookie; path=/; secure,myC6=we have S Cookie; path=/; secure,myC7=we have S Cookie; path=/; secure; HttpOnly

Since the whole string has ; HttpOnly in it, the preCondition fails.

How do I get past this? Any ideas?

Answer

Liam picture Liam · Oct 2, 2015

I finally got pass this so I wanted to post for others that might run into this. I removed my preConditions and just used conditions. I then had to use the back reference to get to the single cookie.

    <rewrite>
        <outboundRules>
            <rule name="Add HttpOnly">
                <match serverVariable="RESPONSE_Set_Cookie" pattern=".+" />
                <conditions>
                    <add input="{R:0}" pattern="; HttpOnly" negate="true" />
                </conditions>
                <action type="Rewrite" value="{R:0}; HttpOnly" />
            </rule>
            <rule name="Add Secure">
                <match serverVariable="RESPONSE_Set_Cookie" pattern=".+" />
                <conditions>
                    <add input="{R:0}" pattern="; Secure" negate="true" />
                </conditions>
                <action type="Rewrite" value="{R:0}; Secure" />
            </rule>
        </outboundRules>
    </rewrite>

Hope this helps someone in the future.

Related questions

Preventing CSRF with the same-site cookie attribute

I was surfing the web and found article Preventing CSRF with the same-site cookie attribute. As on link maintain We need to add Set-Cookie header. Set-Cookie: key=value; HttpOnly; SameSite=strict Now My Question is, I want to set this …

Read More
Classic ASP: Multiple ASPSESSIONID in cookies

I have a problem with a classic asp page and I just cannot solve it since 3 days. The page is working with Sessions - sometimes it happens that the ASPSESSIONID cookie is set twice in the Request.ServerVariables("HTTP_COOKIE"). …

Read More
How do I setup IIS with a cookieless domain to improve performance?

I was reading in google's documentation their new pagespeed plugin, that they recommend using cookieless domains to improve performance: Static content, such as images, JS and CSS files, don't need to be accompanied by cookies, as there is no user …

Read More