[Mono-list] HttpOnly cookies flag supported?
James Wright
james.wright at jigsawdezign.com
Fri Oct 4 17:42:18 UTC 2013
I think it should just default to setting the cookie.HttpOnly flag
to true at all times, as there is no reason at all for the AuthCookie to
be accessible by client-side script, is there?
James
On 04/10/2013 18:35, James Wright wrote:
>
> Ok, so from looking at the source, I don't where the HttpOnly property
> is being set at all (i would have expected it to be with the setting
> of the Secure property);
>
> System.Web.Security.FormsAuthentication
> public static HttpCookie GetAuthCookie (string userName, bool
> createPersistentCookie, string strCookiePath)
> {
> Initialize ();
> if (userName == null)
> userName = String.Empty;
> if (strCookiePath == null || strCookiePath.Length == 0)
> strCookiePath = cookiePath;
> DateTime now = DateTime.Now;
> DateTime then;
> if (createPersistentCookie)
> then = now.AddYears (50);
> else
> then = now.AddMinutes (timeout);
> FormsAuthenticationTicket ticket = new FormsAuthenticationTicket (1,
> userName,
> now,
> then,
> createPersistentCookie,
> String.Empty,
> cookiePath);
> if (!createPersistentCookie)
> then = DateTime.MinValue;
> HttpCookie cookie = new HttpCookie (cookieName, Encrypt (ticket),
> strCookiePath, then);
> if (requireSSL)
> cookie.Secure = true;
> if (!String.IsN ullOrEmpty (cookie_domain))
> cookie.Domain = cookie_domain;
> return cookie;
> }
> Am I missing something?
>
> James
>
>
> On 04/10/2013 18:25, James Wright wrote:
>>
>> Nope, it's definitely "httpOnly", as in the browser will not let
>> client-side script access the cookie (the cookie is only for being
>> sent with each request).
>>
>> I think you are thinking of "requireSSL" which instructs the web
>> browser to only send the cookie over HTTPS and not unencrypted HTTP
>> connections.
>>
>>
>> James
>>
>>
>> On 04/10/2013 17:01, Ian Norton wrote:
>>>
>>> Do you mean httpsonly?
>>>
>>> On 4 Oct 2013 16:51, "James Wright" <james.wright at jigsawdezign.com
>>> <mailto:james.wright at jigsawdezign.com>> wrote:
>>>
>>> Hi,
>>>
>>> I've added the following piece of config to my Web.config to
>>> default the FormsAuthentication cookie as HttpOnly;
>>>
>>> <system.web>
>>> ...
>>> <httpCookies httpOnlyCookies="true" />
>>> ...
>>> </system.web>
>>>
>>> However the authentication cookie still does not show as being
>>> marked as HttpOnly when looking at it with FireBug.
>>>
>>> Is this a known issue or bug in Mono? Have i missed something
>>> obvious?
>>>
>>> Thanks,
>>> James
>>>
>>> OS: Amazon Linux
>>> Mono: 3.2.0
>>> .NET runtime: 4.5
>>> Framework: ASP.NET <http://ASP.NET> MVC2.0
>>>
>>>
>>> _______________________________________________
>>> Mono-list maillist - Mono-list at lists.ximian.com
>>> <mailto:Mono-list at lists.ximian.com>
>>> http://lists.ximian.com/mailman/listinfo/mono-list
>>>
>>
>>
>>
>> _______________________________________________
>> Mono-list maillist -Mono-list at lists.ximian.com
>> http://lists.ximian.com/mailman/listinfo/mono-list
>
>
>
> _______________________________________________
> Mono-list maillist - Mono-list at lists.ximian.com
> http://lists.ximian.com/mailman/listinfo/mono-list
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ximian.com/pipermail/mono-list/attachments/20131004/2755bb0c/attachment.html>
More information about the Mono-list
mailing list