[Mono-list] HttpOnly cookies flag supported?
james.wright at jigsawdezign.com
Fri Oct 4 17:35:37 UTC 2013
Ok, so from looking at the source, I don't where the HttpOnly property
is being set at all (i would have expected it to be with the setting of
the Secure property);
public static HttpCookie GetAuthCookie (string userName, bool
createPersistentCookie, string strCookiePath)
if (userName == null)
userName = String.Empty;
if (strCookiePath == null || strCookiePath.Length == 0)
strCookiePath = cookiePath;
DateTime now = DateTime.Now;
then = now.AddYears (50);
then = now.AddMinutes (timeout);
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket (1,
then = DateTime.MinValue;
HttpCookie cookie = new HttpCookie (cookieName, Encrypt (ticket),
cookie.Secure = true;
if (!String.IsNullOrEmpty (cookie_domain))
cookie.Domain = cookie_domain;
Am I missing something?
On 04/10/2013 18:25, James Wright wrote:
> Nope, it's definitely "httpOnly", as in the browser will not let
> client-side script access the cookie (the cookie is only for being
> sent with each request).
> I think you are thinking of "requireSSL" which instructs the web
> browser to only send the cookie over HTTPS and not unencrypted HTTP
> On 04/10/2013 17:01, Ian Norton wrote:
>> Do you mean httpsonly?
>> On 4 Oct 2013 16:51, "James Wright" <james.wright at jigsawdezign.com
>> <mailto:james.wright at jigsawdezign.com>> wrote:
>> I've added the following piece of config to my Web.config to
>> default the FormsAuthentication cookie as HttpOnly;
>> <httpCookies httpOnlyCookies="true" />
>> However the authentication cookie still does not show as being
>> marked as HttpOnly when looking at it with FireBug.
>> Is this a known issue or bug in Mono? Have i missed something
>> OS: Amazon Linux
>> Mono: 3.2.0
>> .NET runtime: 4.5
>> Framework: ASP.NET <http://ASP.NET> MVC2.0
>> Mono-list maillist - Mono-list at lists.ximian.com
>> <mailto:Mono-list at lists.ximian.com>
> Mono-list maillist - Mono-list at lists.ximian.com
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Mono-list