Enabling HTTPOnly to Secure in Asp.Net
We have enabled HttpOnly for our site.
<configuration>
<system.web>
<httpCookies httpOnlyCookies="true" requireSSL="true" />
</system.web>
</configuration>
This works great when we access a site in an unsecured region. But in Secure live region (Https) this does not work and we can get session keys. how to soften it. any idea that would be very helpful.
Im trying in Asp.Net 2.0
source to share
I have tons of solutions here dude. Just feel free to choose among these solutions that suit your needs.
-
In Global.asax, overwrite the Session_Start method as follows.
<script runat="server"> void Session_Start(object sender, EventArgs e) { if(Response.Cookies.Count > 0) foreach(string s in Response.Cookies.AllKeys) if(s == System.Web.Security.FormsAuthentication.FormsCookieName || s.ToLower().Equals("asp.net_sessionid") ) Response.Cookies[s].HttpOnly = false;
}
-
Note that in ASP.NET 1.1, the System.Net.Cookie class does not support the HttpOnly property. Therefore, to add the HttpOnly attribute to the cookie, you can add the following code to your application
Application_EndRequest event handler in Global.asax:
protected void Application_EndRequest(Object sender, EventArgs e) { string authCookie = FormsAuthentication.FormsCookieName; foreach (string sCookie in Response.Cookies) { if (sCookie.Equals(authCookie)) { Response.Cookies[sCookie].Path += ";HttpOnly"; } } }
link: http://blogs.msdn.com/b/dansellers/archive/2006/03/13/550947.aspx
-
Add this to your Global.asax
void Application_EndRequest(Object sender, EventArgs e) { if (Response.Cookies.Count > 0) { foreach (string s in Response.Cookies.AllKeys) { if (s == "ASP.NET_SessionId") { Response.Cookies["ASP.NET_SessionId"].HttpOnly = false; } } }
}
link: from this forum http://forums.asp.net/p/955272/1177574.aspx#1177574
You can also try this post HttpOnly Cookies on ASP.NET 1.1 by Scott Hanselman, but its ASP.NET 1.1
source to share