[Mono-list] HttpOnly cookies flag supported?

James Wright james.wright at jigsawdezign.com
Fri Oct 4 17:42:18 UTC 2013


     I think it should just default to setting the cookie.HttpOnly flag 
to true at all times, as there is no reason at all for the AuthCookie to 
be accessible by client-side script, is there?

James

On 04/10/2013 18:35, James Wright wrote:
>
> Ok, so from looking at the source, I don't where the HttpOnly property 
> is being set at all (i would have expected it to be with the setting 
> of the Secure property);
>
> System.Web.Security.FormsAuthentication
> public static HttpCookie GetAuthCookie (string userName, bool 
> createPersistentCookie, string strCookiePath)
> {
> Initialize ();
> if (userName == null)
> userName = String.Empty;
> if (strCookiePath == null || strCookiePath.Length == 0)
> strCookiePath = cookiePath;
> DateTime now = DateTime.Now;
> DateTime then;
> if (createPersistentCookie)
> then = now.AddYears (50);
> else
> then = now.AddMinutes (timeout);
> FormsAuthenticationTicket ticket = new FormsAuthenticationTicket (1,
> userName,
> now,
> then,
> createPersistentCookie,
> String.Empty,
> cookiePath);
> if (!createPersistentCookie)
> then = DateTime.MinValue;
> HttpCookie cookie = new HttpCookie (cookieName, Encrypt (ticket), 
> strCookiePath, then);
> if (requireSSL)
> cookie.Secure = true;
> if (!String.IsN ullOrEmpty (cookie_domain))
> cookie.Domain = cookie_domain;
> return cookie;
> }
>   Am I missing something?
>
> James
>
>
> On 04/10/2013 18:25, James Wright wrote:
>>
>>   Nope, it's definitely "httpOnly", as in the browser will not let 
>> client-side script access the cookie (the cookie is only for being 
>> sent with each request).
>>
>>   I think you are thinking of "requireSSL" which instructs the web 
>> browser to only send the cookie over HTTPS and not unencrypted HTTP 
>> connections.
>>
>>
>> James
>>
>>
>> On 04/10/2013 17:01, Ian Norton wrote:
>>>
>>> Do you mean httpsonly?
>>>
>>> On 4 Oct 2013 16:51, "James Wright" <james.wright at jigsawdezign.com 
>>> <mailto:james.wright at jigsawdezign.com>> wrote:
>>>
>>>     Hi,
>>>
>>>        I've added the following piece of config to my Web.config to
>>>     default the FormsAuthentication cookie as HttpOnly;
>>>
>>>       <system.web>
>>>           ...
>>>           <httpCookies httpOnlyCookies="true" />
>>>            ...
>>>       </system.web>
>>>
>>>       However the authentication cookie still does not show as being
>>>     marked as HttpOnly when looking at it with FireBug.
>>>
>>>       Is this a known issue or bug in Mono? Have i missed something
>>>     obvious?
>>>
>>>     Thanks,
>>>     James
>>>
>>>     OS: Amazon Linux
>>>     Mono: 3.2.0
>>>     .NET runtime: 4.5
>>>     Framework: ASP.NET <http://ASP.NET> MVC2.0
>>>
>>>
>>>     _______________________________________________
>>>     Mono-list maillist  - Mono-list at lists.ximian.com
>>>     <mailto:Mono-list at lists.ximian.com>
>>>     http://lists.ximian.com/mailman/listinfo/mono-list
>>>
>>
>>
>>
>> _______________________________________________
>> Mono-list maillist  -Mono-list at lists.ximian.com
>> http://lists.ximian.com/mailman/listinfo/mono-list
>
>
>
> _______________________________________________
> Mono-list maillist  -  Mono-list at lists.ximian.com
> http://lists.ximian.com/mailman/listinfo/mono-list

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ximian.com/pipermail/mono-list/attachments/20131004/2755bb0c/attachment.html>


More information about the Mono-list mailing list