locked
HttpOnly cookies setup RRS feed

  • Question

  • User-816235319 posted

    Hi

    I have an SSL application, i want to marked with secure attribute so that it will only be transmitted if the communications channel with the host is via https. If the secure attribute is not specified an attacker or configration error could potentially cause the cookies to be transmitted over the http, and allowing unauthorized acces to the application.

    My question is where in the IIS7 i can alter the configration set the "httponly" attribute on all cookies.

    The application does not have "httponly"

    Thanks

    Friday, January 6, 2012 3:41 PM

Answers

  • User1273594895 posted

    You can create a module to handle the 'PreSendHeaders' (or something like that) to and then spin through the response headers and amend the cookies there.  This would give you a single point of maintenance (for when you need to add exclusions) and would also "upgrade" existing cookies on the next request.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, January 24, 2012 10:22 AM

All replies

  • User1618479829 posted

    I tried like this in my application ..

    Response.AddHeader "Set-Cookie", "CookieName=CookieValue; path=/; HttpOnly"
    Friday, January 6, 2012 3:45 PM
  • User-816235319 posted

    thanks it is asp.net 3 applicaiton

    Friday, January 6, 2012 3:48 PM
  • User1618479829 posted

    hope you mean ASP .net in .Net 3.0 framework. 'HttpOnly ' support in all versions of .Net frame work.

    Please go through this.

    http://msdn.microsoft.com/en-us/library/system.web.httpcookie.httponly.aspx

    Friday, January 6, 2012 3:56 PM
  • User-816235319 posted
    i have the following code where i need to add the above line 
    Response.AddHeader "Set-Cookie", "CookieName=CookieValue; path=/; HttpOnly" 
     
    using System.Collections;
    using System.Collections.Generic;
    using System.Web.UI.WebControls;
    using System;
    using System.Text;
    using System.Data;
    using System.Configuration;
    using System.Web;
    using System.Web.Security;
    using System.Web.UI;
    using System.Web.UI.HtmlControls;
    using System.Web.UI.WebControls.WebParts;
    using System.Text.RegularExpressions;
    using System.Globalization;
    using System.Net.Mail;
    namespace Hometrust
    
    
    {
    	public partial class AppraisersPage : BasePage {
            public AppraisersPage(){
                this.PreInit += new EventHandler(AppraisersPage_PreInit);
            }
    
            void AppraisersPage_PreInit(object sender, EventArgs e){
                MasterPageFile = "~/mp/BrokerLoggedIn_ON.master";
            }
    
    		protected void Page_Load(object sender,EventArgs e){
              //  if (Request["action"] != null && Request["action"].ToString() == "logout") SignOut();
    	      //  divValid.Visible = Session["username"]!=null || SignIn(Request["username"],Request["password"]);
    	      //  divInvalid.Visible = !divValid.Visible;
    			
    			
                    div_Acc_rate_600_FRENCH.Visible = false;
                    FrenchTitle.Visible = false;
                    quick_rate_close_Fr.Visible = false;
                    Becon_Maritime.Visible = false;
                    div_Equity_Assist_Accelerator.Visible = false;
    
    
                    //HOMETRUST ACCELERATOR RATES 
                    ratesTitle.Text = "<h1>Posted Mortgage Rates</h1>";
                    ratesDisclaimer.Text = "Rates are subject to change without notice";
                    ratesTextLink.Text = "Home Trust Accelerator Rates";
    			
    	
    			/*Zafar Adding code to hide Accelerator Rates according to Broker logon*/
                    if (Request.QueryString["username"] != null)
                    {
                        if (Request.QueryString["username"] != null || (Request.QueryString["username"].ToString() == "HRM") || (Request.QueryString["username"].ToString() == "New Brunswick") || (Request.QueryString["username"].ToString() == "Newfoundland"))
                        {
         			//if(Session["username"].ToString() == "Maritimes"){
                        //Acc_rate_600_blw.Visible = false ;
    					Equity_Assist_Accelerator.Visible = false;
    					
    					div_Equity_Assist_Accelerator.Visible = false;
                        //div_Acc_rate_600_blw.Visible = false;
    					FrenchTitle.Visible = false;
    					quick_rate_close_Fr.Visible = false;
    
    			       }
    				   else
    				   {
    				    //nothing
    				   }
                        if (Request.QueryString["username"].ToString() == "Quebec")
                        {
    	         		Equity_Assist_Accelerator.Visible = false;
                        //Acc_rate_600_blw.Visible = false ;
    					div_Equity_Assist_Accelerator.Visible = false;
                        //div_Acc_rate_600_blw.Visible = false;
    					div_Acc_rate_600_FRENCH.Visible = false;
    					FrenchTitle.Visible = false;
    					quick_rate_close_Fr.Visible = false;
                    
    					
    			       }
    				   else
    				   {
    				    //nothing
    				   }
    
                        if (Request.QueryString["username"].ToString() == "QC")
                        {
                        //Acc_rate_600_blw.Visible = false ;
    					Equity_Assist_Accelerator.Visible = false;
    					div_Equity_Assist_Accelerator.Visible = false;
                        //div_Acc_rate_600_blw.Visible = false;
    					div_Acc_rate_600_ENGLISH.Visible = false;
    					EnglishTitle.Visible = false;
                        quick_rate_close_en.Visible = false;
    					Becon_Maritime.Visible = false;
    					for_more_info.Visible = false;
                        div_Equity_Assist_Accelerator.Visible = true;
                        Equity_Assist_Accelerator.Visible = true;
    			       }
    				   else
    				   {
    				    //nothing
    				   }
    
                        if (Request.QueryString["username"].ToString() == "British Columbia")
                        {
    					
    					div_Acc_rate_600_FRENCH.Visible = false;
    					FrenchTitle.Visible = false;
    					quick_rate_close_Fr.Visible = false;
    					Becon_Maritime.Visible = false;
                        div_Equity_Assist_Accelerator.Visible = false;
    					
    			       }
    				   else
    				   {
    				    //nothing
    				   }
    
                        if (Request.QueryString["username"].ToString() == "Ontario")
                        {
    					
    					div_Acc_rate_600_FRENCH.Visible = false;
    					FrenchTitle.Visible = false;
    					quick_rate_close_Fr.Visible = false;
    					Becon_Maritime.Visible = false;
                        div_Equity_Assist_Accelerator.Visible = false;
    
    			       }
    				   else
    				   {
    				    //nothing
    				   }
    
                        if (Request.QueryString["username"].ToString() == "Manitoba")
                        {
    					
    					div_Acc_rate_600_FRENCH.Visible = false;
    					FrenchTitle.Visible = false;
    					quick_rate_close_Fr.Visible = false;
    					Becon_Maritime.Visible = false;
                        div_Equity_Assist_Accelerator.Visible = false;
    
    			       }
    				   else
    				   {
    				    //nothing
    				   }
    
                        if (Request.QueryString["username"].ToString() == "Saskatchewan")
                        {
    					
    					div_Acc_rate_600_FRENCH.Visible = false;
    					FrenchTitle.Visible = false;
    					quick_rate_close_Fr.Visible = false;
    					Becon_Maritime.Visible = false;
                        div_Equity_Assist_Accelerator.Visible = false;
    
    			       }
    				   else
    				   {
    				    //nothing
    				   }
    
                        if (Request.QueryString["username"].ToString() == "Alberta")
                        {
    					
    					div_Acc_rate_600_FRENCH.Visible = false;
    					FrenchTitle.Visible = false;
    					quick_rate_close_Fr.Visible = false;
    					Becon_Maritime.Visible = false;
                        div_Equity_Assist_Accelerator.Visible = false;
    			       }
    				   else
    				   {
    				    //nothing
    				   }	
    				   
    				   
    				    //if(Session["username"].ToString() == "Maritimes")
                        if (Request.QueryString["username"] != null || (Request.QueryString["username"].ToString() == "HRM") || (Request.QueryString["username"].ToString() == "New Brunswick") || (Request.QueryString["username"].ToString() == "Newfoundland"))	
    					{
    					
    					div_Acc_rate_600_FRENCH.Visible = false;
    					FrenchTitle.Visible = false;
    					quick_rate_close_Fr.Visible = false;
    					
    			       }
    				   else
    				   {
    				    //nothing
    				   }							   
    			}
    			/* End ---Zafar Adding code to hide Accelerator Rates according to Broker logon*/
    
    
    
                    if (Request.QueryString["username"] != null)
                    {
    				//if(Session["username"].ToString() == "Maritimes"){
                        if (Request.QueryString["username"] != null && (Request.QueryString["username"].ToString() == "HRM") || (Request.QueryString["username"].ToString() == "New Brunswick") || (Request.QueryString["username"].ToString() == "Newfoundland"))
                        {
    					ratesLink.HRef  = "ratepdfs/MAR Accelerator Rate Sheet.pdf";
    
                        }
                        else if (Request.QueryString["username"].ToString() == "Quebec")
                        {
    					//Response.Write(Session["username"]);
    					
    					ratesLink.HRef  = "ratepdfs/QC ENG Accelerator Rate Sheet.pdf";
    				} else if(Request.QueryString["username"].ToString() == "QC"){
                        ratesLink.HRef = "ratepdfs/QC FR Accelerator Rate Sheet.pdf ";
    				} else {
    					ratesLink.HRef  = "ratepdfs/ON-BC-AB Accelerator Rate Sheet.pdf";
                        //ratesLink.HRef = "ratepdfs/QC FR Accelerator Rate Sheet.pdf ";
    				}
    			}	
    //			
    //			if(Session["username"]!=null){
    //				if(Session["username"].ToString() != "QC"){ 
    //				
    //
    //		
    //		// start changes	
    //				 switch (Session["username"].ToString())
    //                    {
    //					
    //						case "Quebec":
    // sideLinks.Text = "<a href=\"http://www.hometrust.ca/pageFlip/pages/pdf/QCENG/QC%20Classic%20Booklet.pdf\">Classic Program Guide</a>";
    //	   sideLinks.Text += "<a href=\"http://www.hometrust.ca/pageFlip/pages/pdf/QCENG/QC%20ENG%20Accelerator%20Booklet.pdf\">Accelerator Program Guide</a>";
    //       sideLinks.Text += "<a href=\"http://www.hometrust.ca/pageFlip/pages/pdf/QCENG/QC%20Classic%20Booklet.pdf\">Equityline <em>Visa</em> Guide</a>";
    //                            break;
    //
    //                        case "Ontario":
    //                        sideLinks.Text = "<a href=\"http://www.hometrust.ca/pageFlip/pages/pdf/ON/ON%20Classic%20Booklet.pdf\">Classic Program Guide</a>";
    //	   sideLinks.Text += "<a href=\"http://www.hometrust.ca/pageFlip/pages/pdf/ON/ON%20Accelerator%20Booklet.pdf\">Accelerator Program Guide</a>";
    //       sideLinks.Text += "<a href=\"http://www.hometrust.ca/pageFlip/pages/pdf/ON/ON%20Classic%20Booklet.pdf\">Equityline <em>Visa</em> Guide</a>";
    //                            break;
    //
    //                        case "Alberta":
    //                      sideLinks.Text = "<a href=\"http://www.hometrust.ca/pageFlip/pages/pdf/AB/AB%20Classic%20Booklet.pdf\">Classic Program Guide</a>";
    //	   sideLinks.Text += "<a href=\"http://www.hometrust.ca/pageFlip/pages/pdf/AB/AB%20Accelerator%20Booklet.pdf\">Accelerator Program Guide</a>";
    //       sideLinks.Text += "<a href=\"http://www.hometrust.ca/pageFlip/pages/pdf/AB/AB%20Classic%20Booklet.pdf\">Equityline <em>Visa</em> Guide</a>";
    //                            break;
    //						case "British Columbia":
    //       sideLinks.Text = "<a href=\"http://www.hometrust.ca/pageFlip/pages/pdf/BC/BC%20Classic%20Booklet.pdf\">Classic Program Guide</a>";
    //	   sideLinks.Text += "<a href=\"http://www.hometrust.ca/pageFlip/pages/pdf/BC/BC%20Accelerator%20Booklet.pdf\">Accelerator Program Guide</a>";
    //       sideLinks.Text += "<a href=\"http://www.hometrust.ca/pageFlip/pages/pdf/BC/BC%20Classic%20Booklet.pdf\">Equityline <em>Visa</em> Guide</a>";
    //							
    //                            break;
    //							
    //							 case "HRM":
    //          sideLinks.Text = "<a href=\"http://www.hometrust.ca/pageFlip/pages/pdf/HRM/HRM%20Classic%20Booklet.pdf\">Classic Program Guide</a>";
    //	   sideLinks.Text += "<a href=\"http://www.hometrust.ca/pageFlip/pages/pdf/HRM/HRM%20Accelerator%20Booklet.pdf\">Accelerator Program Guide</a>";
    //       sideLinks.Text += "<a href=\"http://www.hometrust.ca/pageFlip/pages/pdf/HRM/HRM%20Classic%20Booklet.pdf\">Equityline <em>Visa</em> Guide</a>";
    //                            break;
    //							
    //		
    //					case "New Brunswick":
    //          sideLinks.Text = "<a href=\"http://www.hometrust.ca/pageFlip/pages/pdf/NB/NB%20Classic%20Booklet.pdf\">Classic Program Guide</a>";
    //	   sideLinks.Text += "<a href=\"http://www.hometrust.ca/pageFlip/pages/pdf/NB/NB%20Accelerator%20Booklet.pdf\">Accelerator Program Guide</a>";
    //               break;
    //			   
    //			   case "Newfoundland":
    //	   sideLinks.Text = "<a target=\"_blank\"  href=\"http://www.hometrust.ca/pageFlip/pages/pdf/NF/NF%20Classic%20Booklet.pdf\">Classic Program Guide</a>";
    //			   
    //	   sideLinks.Text += "<a target=\"_blank\" href=\"http://www.hometrust.ca/pageFlip/pages/pdf/NF/NF%20Accelerator%20Booklet.pdf\">Accelerator Program Guide</a>";
    //	   
    //               break;
    //							
    //							
    //							
    //				case "Manitoba":               			
    //	   sideLinks.Text += "<a href=\"http://www.hometrust.ca/pageFlip/pages/pdf/Manitoba/Manitoba%20Accelerator%20Booklet.pdf\">Accelerator Program Guide</a>";
    //                break;
    //							
    //				case "Saskatchewan":
    //			sideLinks.Text += "<a href=\"http://www.hometrust.ca/pageFlip/pages/pdf/Saskatchewan/Saskatchewan%20Accelerator%20Booklet.pdf\">Accelerator Program Guide</a>";
    //                break;	
    //					}	 
    //					 
    //	  // end changes	
    //		 
    //					sideLinks.Text += "<a href=\""+System.Web.Configuration.WebConfigurationManager.AppSettings["secureFromSite"]+"form.aspx\">Mortgage Application</a>";
    //
    //                    if (Session["username"] != null && !(Session["username"].ToString() == "Manitoba" || Session["username"].ToString() == "HRM"  || Session["username"].ToString() == "Newfoundland"  || Session["username"].ToString() == "New Brunswick" || Session["username"].ToString() == "Alberta" || Session["username"].ToString() == "British Columbia"))
    //                    {		
    //						sideLinks.Text +=   "<a id=\"equityLineVisaApp\" runat=\"server\" href=\"https://secure9.securewebexchange.com/equitylinevisa.ca/application.html\" target=\"_blank\">Equityline <em>Visa</em> Application</a>";
    //					}			
    //								
    //					if(Session["username"]!=null && Session["username"].ToString()!="Quebec" ){
    //						
    //						sideLinks.Text +=   "<a id=\"securedVisa\" runat=\"server\" href=\"http://www.hometrust.ca/documents/SecuredVisaApplication.pdf\">Secured <em>Visa</em> Application</a>";
    //					}
    //					
    //					leftColumnTitle.Text ="<h1>Home Trust Products</h1>";
    //									
    //					ratesTitle.Text = " <h1>Home Trust Posted Mortgage Rates</h1><strong>Effective: ";
    //					
    //					ratesDisclaimer.Text = "</strong>Rates are subject to change without notice";
    //					ratesTextLink.Text = "Home Trust Accelerator Rates.PDF";
    //									
    //				}else{
    //				
    //				/*
    //					
    //					sideLinks.Text = "<a href=\"appraisers.aspx?book=1&title=Home Trust Programme Classique\">Programme Classique</a>"+
    //									"<a href=\"appraisers.aspx?book=2&title=Home Trust Programme Accélérateur\">Programme Accélérateur</a>";
    //									
    //								
    //					sideLinks.Text +="<a id=\"equityLineVisa\" runat=\"server\" href=\"appraisers.aspx?book=3&title=Home Trust Programme Visa PropriOR\">Programme <emVisa</em> PropriOR</a>"; 
    //					*/
    //					sideLinks.Text += "<a href=\""+System.Web.Configuration.WebConfigurationManager.AppSettings["secureFromSite"]+"form.aspx\">Une Demande Hypothécaire</a>";
    //					sideLinks.Text +=   "<a id=\"equityLineVisaApp\" runat=\"server\" href=\"https://secure9.securewebexchange.com/equitylinevisa.ca/application.html\" target=\"_blank\">Une Demande <em>Visa</em> PropriOR</a>";
    //						
    //					leftColumnTitle.Text ="<h1>Produits Home Trust</h1>";
    //					
    //					ratesTitle.Text = " <h1>Taux Hypothécaires</h1><p><strong>En vigueur: ";
    //					ratesDisclaimer.Text = "</strong>Les taux sont sujets aux changement sans préavis";	
    //					ratesTextLink.Text = "Taux affichés d'Accélérateur";
    //				}	
    //			}
    				
    			
    		}	
    	}
    }
    Monday, January 9, 2012 3:52 PM
  • User1273594895 posted

    You can create a module to handle the 'PreSendHeaders' (or something like that) to and then spin through the response headers and amend the cookies there.  This would give you a single point of maintenance (for when you need to add exclusions) and would also "upgrade" existing cookies on the next request.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, January 24, 2012 10:22 AM
  • User-1751227505 posted

    given that you have been working with this area of code did you ever work out how to set multiple cookie values using addheader command

    cookie name = info

    values username=<blah> and password=<blah>

    i tried 

    Response.AddHeader "Set-Cookie", "CookieName=info;username=blah;password=blah; path=/; HttpOnly"

    but that did not work.

    i have to use classic asp

    Saturday, March 23, 2013 6:25 PM