ASP.NET 2.0 and the new HTTP-only property

  • Article

To minimize the threat of Cross Site scripting attacks ASP.NET 1.1 introduced the ValidateRequest="true" on the @ Pages element.  Recently, Microsoft improved the HttpUtility.HtmlEncode with the new Anti-XSS tool.  But another subtle and equally important addition in ASP.NET 2.0 is the HTTP-only option.  HTTP-only is a flag that you can append to cookies and helps to reduce harvesting attacks to steal authentication or other valuable cookies.  HTTP-only is now a property that can be set on the HttpCookie class.  

This property is already set by default for Authentication and Sessions cookies in ASP.NET 2.0 but not for manually issued cookies.  Therefore, you should consider enabling this option for your manually issued cookies as well.  This option can be enabled in web.config by modifying the httpCookies element as in the example below:

<httpCookies httpOnlyCookies="true" />

When an HttpOnly cookie is received by a compliant browser such as Internet Explorer Service Pack 1, it is inaccessible to client-side script.  But this does not prevent an attacker with access to the network channel from accessing the cookie directly.

 

Note that in ASP.NET 1.1 the System.Net.Cookie class does not support the HttpOnly property. Therefore, to add an HttpOnly attribute to the cookie you could add the following code to your application's Application_EndRequest event handler in Global.asax:

 

protected void Application_EndRequest(Object sender, EventArgs e)

{

string authCookie = FormsAuthentication.FormsCookieName;

      foreach (string sCookie in Response.Cookies)

      {

      if (sCookie.Equals(authCookie))

            {

             Response.Cookies[sCookie].Path += ";HttpOnly";

            }

      }

}