[Mono-list] HttpOnly cookies flag supported?

James Wright james.wright at jigsawdezign.com
Fri Oct 4 17:25:57 UTC 2013


   Nope, it's definitely "httpOnly", as in the browser will not let 
client-side script access the cookie (the cookie is only for being sent 
with each request).

   I think you are thinking of "requireSSL" which instructs the web 
browser to only send the cookie over HTTPS and not unencrypted HTTP 
connections.


James


On 04/10/2013 17:01, Ian Norton wrote:
>
> Do you mean httpsonly?
>
> On 4 Oct 2013 16:51, "James Wright" <james.wright at jigsawdezign.com 
> <mailto:james.wright at jigsawdezign.com>> wrote:
>
>     Hi,
>
>        I've added the following piece of config to my Web.config to
>     default the FormsAuthentication cookie as HttpOnly;
>
>       <system.web>
>           ...
>           <httpCookies httpOnlyCookies="true" />
>            ...
>       </system.web>
>
>       However the authentication cookie still does not show as being
>     marked as HttpOnly when looking at it with FireBug.
>
>       Is this a known issue or bug in Mono? Have i missed something
>     obvious?
>
>     Thanks,
>     James
>
>     OS: Amazon Linux
>     Mono: 3.2.0
>     .NET runtime: 4.5
>     Framework: ASP.NET <http://ASP.NET> MVC2.0
>
>
>     _______________________________________________
>     Mono-list maillist  - Mono-list at lists.ximian.com
>     <mailto:Mono-list at lists.ximian.com>
>     http://lists.ximian.com/mailman/listinfo/mono-list
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ximian.com/pipermail/mono-list/attachments/20131004/e752643f/attachment.html>


More information about the Mono-list mailing list