[Mono-list] HttpOnly cookies flag supported?

James Wright james.wright at jigsawdezign.com
Fri Oct 4 17:35:37 UTC 2013 

Ok, so from looking at the source, I don't where the HttpOnly property 
is being set at all (i would have expected it to be with the setting of 
the Secure property);

System.Web.Security.FormsAuthentication

public static HttpCookie GetAuthCookie (string userName, bool 
createPersistentCookie, string strCookiePath)
{
Initialize ();
if (userName == null)
userName = String.Empty;
if (strCookiePath == null || strCookiePath.Length == 0)
strCookiePath = cookiePath;
DateTime now = DateTime.Now;
DateTime then;
if (createPersistentCookie)
then = now.AddYears (50);
else
then = now.AddMinutes (timeout);
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket (1,
userName,
now,
then,
createPersistentCookie,
String.Empty,
cookiePath);
if (!createPersistentCookie)
then = DateTime.MinValue;
HttpCookie cookie = new HttpCookie (cookieName, Encrypt (ticket), 
strCookiePath, then);
if (requireSSL)
cookie.Secure = true;
if (!String.IsNullOrEmpty (cookie_domain))
cookie.Domain = cookie_domain;
return cookie;
}

   Am I missing something?

James


On 04/10/2013 18:25, James Wright wrote:
>
>   Nope, it's definitely "httpOnly", as in the browser will not let 
> client-side script access the cookie (the cookie is only for being 
> sent with each request).
>
>   I think you are thinking of "requireSSL" which instructs the web 
> browser to only send the cookie over HTTPS and not unencrypted HTTP 
> connections.
>
>
> James
>
>
> On 04/10/2013 17:01, Ian Norton wrote:
>>
>> Do you mean httpsonly?
>>
>> On 4 Oct 2013 16:51, "James Wright" <james.wright at jigsawdezign.com 
>> <mailto:james.wright at jigsawdezign.com>> wrote:
>>
>>     Hi,
>>
>>        I've added the following piece of config to my Web.config to
>>     default the FormsAuthentication cookie as HttpOnly;
>>
>>       <system.web>
>>           ...
>>           <httpCookies httpOnlyCookies="true" />
>>            ...
>>       </system.web>
>>
>>       However the authentication cookie still does not show as being
>>     marked as HttpOnly when looking at it with FireBug.
>>
>>       Is this a known issue or bug in Mono? Have i missed something
>>     obvious?
>>
>>     Thanks,
>>     James
>>
>>     OS: Amazon Linux
>>     Mono: 3.2.0
>>     .NET runtime: 4.5
>>     Framework: ASP.NET <http://ASP.NET> MVC2.0
>>
>>
>>     _______________________________________________
>>     Mono-list maillist  - Mono-list at lists.ximian.com
>>     <mailto:Mono-list at lists.ximian.com>
>>     http://lists.ximian.com/mailman/listinfo/mono-list
>>
>
>
>
> _______________________________________________
> Mono-list maillist  -  Mono-list at lists.ximian.com
> http://lists.ximian.com/mailman/listinfo/mono-list

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ximian.com/pipermail/mono-list/attachments/20131004/10a66c7e/attachment-0001.html>

More information about the Mono-list mailing list