How to turn off httpOnly in Forms Auth ASP.Net 2.0

Question

User-1463960051 posted
Hi,

In ASP.NET 2.0,  httpOnly attribute is turned on by default :
<tt>Set-Cookie: ASP.NET_SessionId=aabbffvvdd; path=/; HttpOnly
</tt>
and I can't find a way to turn if off. I am using a trusted 3rd party application that gives errors because of that flag, so I wanted to disable that flag to do some testing. Is there any way to turn it off using ASP 2.0?

I tried suggestion mentioned in http://www.hanselman.com/blog/HttpOnlyCookiesOnASPNET11.aspx, but web.config didn't help.
Also, as far as I know, there is no Global.aspx in ASP.NET 2.0.

Thanks!
<tt></tt>

Answer 1

User-1007037156 posted
Afraid not.  A security conscious decision was made regarding setting HttpOnly to "true" for all forms auth cookies issued under ASP.NET 2.0.

Answer 2

User-859931520 posted

Please enable this as a setting in future versions of ASP.Net.  This setting breaks applications that require access to the session cookie to enforce security. I appreciate Microsoft's new focus on security consciousness, but this should mean good defaults, not blocking configuration altogether.

For us, the problem is that these cookies are being blocked so Java applets cannot access them.  So any pages accessed by a Java applet get redirected to the login page.  I suspect the same problem appears in other plugins which connect back to the server to retrieve data. The workaround is to either make the data access pages anonymous, which is a huge security hole, or turning off the HttpOnly flag on session cookies using a hack.

For those needing a workaround that turns the HttpOnly flag off for session cookies, see:

http://nerd.steveferson.com/2007/09/14/act-sessionid-and-login-problems-with-asp-net-20/

http://forums.asp.net/p/955272/1177574.aspx#1177574