HttpOnly cookies setup

Question

User-816235319 posted

Hi

I have an SSL application, i want to marked with secure attribute so that it will only be transmitted if the communications channel with the host is via https. If the secure attribute is not specified an attacker or configration error could potentially cause the cookies to be transmitted over the http, and allowing unauthorized acces to the application.

My question is where in the IIS7 i can alter the configration set the "httponly" attribute on all cookies.

The application does not have "httponly"

Thanks

Answer 1

User1618479829 posted

I tried like this in my application ..

Response.AddHeader "Set-Cookie", "CookieName=CookieValue; path=/; HttpOnly"
 

Answer 2

User-816235319 posted

thanks it is asp.net 3 applicaiton

Answer 3

User1618479829 posted

hope you mean ASP .net in .Net 3.0 framework. 'HttpOnly ' support in all versions of .Net frame work.

Please go through this.

http://msdn.microsoft.com/en-us/library/system.web.httpcookie.httponly.aspx

Answer 4

User-816235319 posted

i have the following code where i need to add the above line 

Response.AddHeader "Set-Cookie", "CookieName=CookieValue; path=/; HttpOnly" 

using System.Collections;
using System.Collections.Generic;
using System.Web.UI.WebControls;
using System;
using System.Text;
using System.Data;
using System.Configuration;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.HtmlControls;
using System.Web.UI.WebControls.WebParts;
using System.Text.RegularExpressions;
using System.Globalization;
using System.Net.Mail;
namespace Hometrust


{
	public partial class AppraisersPage : BasePage {
        public AppraisersPage(){
            this.PreInit += new EventHandler(AppraisersPage_PreInit);
        }

        void AppraisersPage_PreInit(object sender, EventArgs e){
            MasterPageFile = "~/mp/BrokerLoggedIn_ON.master";
        }

		protected void Page_Load(object sender,EventArgs e){
          //  if (Request["action"] != null && Request["action"].ToString() == "logout") SignOut();
	      //  divValid.Visible = Session["username"]!=null || SignIn(Request["username"],Request["password"]);
	      //  divInvalid.Visible = !divValid.Visible;
			
			
                div_Acc_rate_600_FRENCH.Visible = false;
                FrenchTitle.Visible = false;
                quick_rate_close_Fr.Visible = false;
                Becon_Maritime.Visible = false;
                div_Equity_Assist_Accelerator.Visible = false;


                //HOMETRUST ACCELERATOR RATES 
                ratesTitle.Text = "<h1>Posted Mortgage Rates</h1>";
                ratesDisclaimer.Text = "Rates are subject to change without notice";
                ratesTextLink.Text = "Home Trust Accelerator Rates";
			
	
			/*Zafar Adding code to hide Accelerator Rates according to Broker logon*/
                if (Request.QueryString["username"] != null)
                {
                    if (Request.QueryString["username"] != null || (Request.QueryString["username"].ToString() == "HRM") || (Request.QueryString["username"].ToString() == "New Brunswick") || (Request.QueryString["username"].ToString() == "Newfoundland"))
                    {
     			//if(Session["username"].ToString() == "Maritimes"){
                    //Acc_rate_600_blw.Visible = false ;
					Equity_Assist_Accelerator.Visible = false;
					
					div_Equity_Assist_Accelerator.Visible = false;
                    //div_Acc_rate_600_blw.Visible = false;
					FrenchTitle.Visible = false;
					quick_rate_close_Fr.Visible = false;

			       }
				   else
				   {
				    //nothing
				   }
                    if (Request.QueryString["username"].ToString() == "Quebec")
                    {
	         		Equity_Assist_Accelerator.Visible = false;
                    //Acc_rate_600_blw.Visible = false ;
					div_Equity_Assist_Accelerator.Visible = false;
                    //div_Acc_rate_600_blw.Visible = false;
					div_Acc_rate_600_FRENCH.Visible = false;
					FrenchTitle.Visible = false;
					quick_rate_close_Fr.Visible = false;
                
					
			       }
				   else
				   {
				    //nothing
				   }

                    if (Request.QueryString["username"].ToString() == "QC")
                    {
                    //Acc_rate_600_blw.Visible = false ;
					Equity_Assist_Accelerator.Visible = false;
					div_Equity_Assist_Accelerator.Visible = false;
                    //div_Acc_rate_600_blw.Visible = false;
					div_Acc_rate_600_ENGLISH.Visible = false;
					EnglishTitle.Visible = false;
                    quick_rate_close_en.Visible = false;
					Becon_Maritime.Visible = false;
					for_more_info.Visible = false;
                    div_Equity_Assist_Accelerator.Visible = true;
                    Equity_Assist_Accelerator.Visible = true;
			       }
				   else
				   {
				    //nothing
				   }

                    if (Request.QueryString["username"].ToString() == "British Columbia")
                    {
					
					div_Acc_rate_600_FRENCH.Visible = false;
					FrenchTitle.Visible = false;
					quick_rate_close_Fr.Visible = false;
					Becon_Maritime.Visible = false;
                    div_Equity_Assist_Accelerator.Visible = false;
					
			       }
				   else
				   {
				    //nothing
				   }

                    if (Request.QueryString["username"].ToString() == "Ontario")
                    {
					
					div_Acc_rate_600_FRENCH.Visible = false;
					FrenchTitle.Visible = false;
					quick_rate_close_Fr.Visible = false;
					Becon_Maritime.Visible = false;
                    div_Equity_Assist_Accelerator.Visible = false;

			       }
				   else
				   {
				    //nothing
				   }

                    if (Request.QueryString["username"].ToString() == "Manitoba")
                    {
					
					div_Acc_rate_600_FRENCH.Visible = false;
					FrenchTitle.Visible = false;
					quick_rate_close_Fr.Visible = false;
					Becon_Maritime.Visible = false;
                    div_Equity_Assist_Accelerator.Visible = false;

			       }
				   else
				   {
				    //nothing
				   }

                    if (Request.QueryString["username"].ToString() == "Saskatchewan")
                    {
					
					div_Acc_rate_600_FRENCH.Visible = false;
					FrenchTitle.Visible = false;
					quick_rate_close_Fr.Visible = false;
					Becon_Maritime.Visible = false;
                    div_Equity_Assist_Accelerator.Visible = false;

			       }
				   else
				   {
				    //nothing
				   }

                    if (Request.QueryString["username"].ToString() == "Alberta")
                    {
					
					div_Acc_rate_600_FRENCH.Visible = false;
					FrenchTitle.Visible = false;
					quick_rate_close_Fr.Visible = false;
					Becon_Maritime.Visible = false;
                    div_Equity_Assist_Accelerator.Visible = false;
			       }
				   else
				   {
				    //nothing
				   }	
				   
				   
				    //if(Session["username"].ToString() == "Maritimes")
                    if (Request.QueryString["username"] != null || (Request.QueryString["username"].ToString() == "HRM") || (Request.QueryString["username"].ToString() == "New Brunswick") || (Request.QueryString["username"].ToString() == "Newfoundland"))	
					{
					
					div_Acc_rate_600_FRENCH.Visible = false;
					FrenchTitle.Visible = false;
					quick_rate_close_Fr.Visible = false;
					
			       }
				   else
				   {
				    //nothing
				   }							   
			}
			/* End ---Zafar Adding code to hide Accelerator Rates according to Broker logon*/



                if (Request.QueryString["username"] != null)
                {
				//if(Session["username"].ToString() == "Maritimes"){
                    if (Request.QueryString["username"] != null && (Request.QueryString["username"].ToString() == "HRM") || (Request.QueryString["username"].ToString() == "New Brunswick") || (Request.QueryString["username"].ToString() == "Newfoundland"))
                    {
					ratesLink.HRef  = "ratepdfs/MAR Accelerator Rate Sheet.pdf";

                    }
                    else if (Request.QueryString["username"].ToString() == "Quebec")
                    {
					//Response.Write(Session["username"]);
					
					ratesLink.HRef  = "ratepdfs/QC ENG Accelerator Rate Sheet.pdf";
				} else if(Request.QueryString["username"].ToString() == "QC"){
                    ratesLink.HRef = "ratepdfs/QC FR Accelerator Rate Sheet.pdf ";
				} else {
					ratesLink.HRef  = "ratepdfs/ON-BC-AB Accelerator Rate Sheet.pdf";
                    //ratesLink.HRef = "ratepdfs/QC FR Accelerator Rate Sheet.pdf ";
				}
			}	
//			
//			if(Session["username"]!=null){
//				if(Session["username"].ToString() != "QC"){ 
//				
//
//		
//		// start changes	
//				 switch (Session["username"].ToString())
//                    {
//					
//						case "Quebec":
// sideLinks.Text = "<a href=\"http://www.hometrust.ca/pageFlip/pages/pdf/QCENG/QC%20Classic%20Booklet.pdf\">Classic Program Guide</a>";
//	   sideLinks.Text += "<a href=\"http://www.hometrust.ca/pageFlip/pages/pdf/QCENG/QC%20ENG%20Accelerator%20Booklet.pdf\">Accelerator Program Guide</a>";
//       sideLinks.Text += "<a href=\"http://www.hometrust.ca/pageFlip/pages/pdf/QCENG/QC%20Classic%20Booklet.pdf\">Equityline <em>Visa</em> Guide</a>";
//                            break;
//
//                        case "Ontario":
//                        sideLinks.Text = "<a href=\"http://www.hometrust.ca/pageFlip/pages/pdf/ON/ON%20Classic%20Booklet.pdf\">Classic Program Guide</a>";
//	   sideLinks.Text += "<a href=\"http://www.hometrust.ca/pageFlip/pages/pdf/ON/ON%20Accelerator%20Booklet.pdf\">Accelerator Program Guide</a>";
//       sideLinks.Text += "<a href=\"http://www.hometrust.ca/pageFlip/pages/pdf/ON/ON%20Classic%20Booklet.pdf\">Equityline <em>Visa</em> Guide</a>";
//                            break;
//
//                        case "Alberta":
//                      sideLinks.Text = "<a href=\"http://www.hometrust.ca/pageFlip/pages/pdf/AB/AB%20Classic%20Booklet.pdf\">Classic Program Guide</a>";
//	   sideLinks.Text += "<a href=\"http://www.hometrust.ca/pageFlip/pages/pdf/AB/AB%20Accelerator%20Booklet.pdf\">Accelerator Program Guide</a>";
//       sideLinks.Text += "<a href=\"http://www.hometrust.ca/pageFlip/pages/pdf/AB/AB%20Classic%20Booklet.pdf\">Equityline <em>Visa</em> Guide</a>";
//                            break;
//						case "British Columbia":
//       sideLinks.Text = "<a href=\"http://www.hometrust.ca/pageFlip/pages/pdf/BC/BC%20Classic%20Booklet.pdf\">Classic Program Guide</a>";
//	   sideLinks.Text += "<a href=\"http://www.hometrust.ca/pageFlip/pages/pdf/BC/BC%20Accelerator%20Booklet.pdf\">Accelerator Program Guide</a>";
//       sideLinks.Text += "<a href=\"http://www.hometrust.ca/pageFlip/pages/pdf/BC/BC%20Classic%20Booklet.pdf\">Equityline <em>Visa</em> Guide</a>";
//							
//                            break;
//							
//							 case "HRM":
//          sideLinks.Text = "<a href=\"http://www.hometrust.ca/pageFlip/pages/pdf/HRM/HRM%20Classic%20Booklet.pdf\">Classic Program Guide</a>";
//	   sideLinks.Text += "<a href=\"http://www.hometrust.ca/pageFlip/pages/pdf/HRM/HRM%20Accelerator%20Booklet.pdf\">Accelerator Program Guide</a>";
//       sideLinks.Text += "<a href=\"http://www.hometrust.ca/pageFlip/pages/pdf/HRM/HRM%20Classic%20Booklet.pdf\">Equityline <em>Visa</em> Guide</a>";
//                            break;
//							
//		
//					case "New Brunswick":
//          sideLinks.Text = "<a href=\"http://www.hometrust.ca/pageFlip/pages/pdf/NB/NB%20Classic%20Booklet.pdf\">Classic Program Guide</a>";
//	   sideLinks.Text += "<a href=\"http://www.hometrust.ca/pageFlip/pages/pdf/NB/NB%20Accelerator%20Booklet.pdf\">Accelerator Program Guide</a>";
//               break;
//			   
//			   case "Newfoundland":
//	   sideLinks.Text = "<a target=\"_blank\"  href=\"http://www.hometrust.ca/pageFlip/pages/pdf/NF/NF%20Classic%20Booklet.pdf\">Classic Program Guide</a>";
//			   
//	   sideLinks.Text += "<a target=\"_blank\" href=\"http://www.hometrust.ca/pageFlip/pages/pdf/NF/NF%20Accelerator%20Booklet.pdf\">Accelerator Program Guide</a>";
//	   
//               break;
//							
//							
//							
//				case "Manitoba":               			
//	   sideLinks.Text += "<a href=\"http://www.hometrust.ca/pageFlip/pages/pdf/Manitoba/Manitoba%20Accelerator%20Booklet.pdf\">Accelerator Program Guide</a>";
//                break;
//							
//				case "Saskatchewan":
//			sideLinks.Text += "<a href=\"http://www.hometrust.ca/pageFlip/pages/pdf/Saskatchewan/Saskatchewan%20Accelerator%20Booklet.pdf\">Accelerator Program Guide</a>";
//                break;	
//					}	 
//					 
//	  // end changes	
//		 
//					sideLinks.Text += "<a href=\""+System.Web.Configuration.WebConfigurationManager.AppSettings["secureFromSite"]+"form.aspx\">Mortgage Application</a>";
//
//                    if (Session["username"] != null && !(Session["username"].ToString() == "Manitoba" || Session["username"].ToString() == "HRM"  || Session["username"].ToString() == "Newfoundland"  || Session["username"].ToString() == "New Brunswick" || Session["username"].ToString() == "Alberta" || Session["username"].ToString() == "British Columbia"))
//                    {		
//						sideLinks.Text +=   "<a id=\"equityLineVisaApp\" runat=\"server\" href=\"https://secure9.securewebexchange.com/equitylinevisa.ca/application.html\" target=\"_blank\">Equityline <em>Visa</em> Application</a>";
//					}			
//								
//					if(Session["username"]!=null && Session["username"].ToString()!="Quebec" ){
//						
//						sideLinks.Text +=   "<a id=\"securedVisa\" runat=\"server\" href=\"http://www.hometrust.ca/documents/SecuredVisaApplication.pdf\">Secured <em>Visa</em> Application</a>";
//					}
//					
//					leftColumnTitle.Text ="<h1>Home Trust Products</h1>";
//									
//					ratesTitle.Text = " <h1>Home Trust Posted Mortgage Rates</h1><strong>Effective: ";
//					
//					ratesDisclaimer.Text = "</strong>Rates are subject to change without notice";
//					ratesTextLink.Text = "Home Trust Accelerator Rates.PDF";
//									
//				}else{
//				
//				/*
//					
//					sideLinks.Text = "<a href=\"appraisers.aspx?book=1&title=Home Trust Programme Classique\">Programme Classique</a>"+
//									"<a href=\"appraisers.aspx?book=2&title=Home Trust Programme Accélérateur\">Programme Accélérateur</a>";
//									
//								
//					sideLinks.Text +="<a id=\"equityLineVisa\" runat=\"server\" href=\"appraisers.aspx?book=3&title=Home Trust Programme Visa PropriOR\">Programme <emVisa</em> PropriOR</a>"; 
//					*/
//					sideLinks.Text += "<a href=\""+System.Web.Configuration.WebConfigurationManager.AppSettings["secureFromSite"]+"form.aspx\">Une Demande Hypothécaire</a>";
//					sideLinks.Text +=   "<a id=\"equityLineVisaApp\" runat=\"server\" href=\"https://secure9.securewebexchange.com/equitylinevisa.ca/application.html\" target=\"_blank\">Une Demande <em>Visa</em> PropriOR</a>";
//						
//					leftColumnTitle.Text ="<h1>Produits Home Trust</h1>";
//					
//					ratesTitle.Text = " <h1>Taux Hypothécaires</h1><p><strong>En vigueur: ";
//					ratesDisclaimer.Text = "</strong>Les taux sont sujets aux changement sans préavis";	
//					ratesTextLink.Text = "Taux affichés d'Accélérateur";
//				}	
//			}
				
			
		}	
	}
}

Answer 5

User1273594895 posted

You can create a module to handle the 'PreSendHeaders' (or something like that) to and then spin through the response headers and amend the cookies there.  This would give you a single point of maintenance (for when you need to add exclusions) and would also "upgrade" existing cookies on the next request.

Answer 6

User-1751227505 posted

given that you have been working with this area of code did you ever work out how to set multiple cookie values using addheader command

cookie name = info

values username=<blah> and password=<blah>

i tried 

Response.AddHeader "Set-Cookie", "CookieName=info;username=blah;password=blah; path=/; HttpOnly"

but that did not work.

i have to use classic asp