7

I am developing an ASP.NET MVC server with Entity Framework 6.0. As far as I'm aware, it's set up to be compatible with EF 4.5 (<httpRuntime targetFramework="4.5" />).

I want to ensure that the session cookie (ie. cookie that stores the session identifier) is HttpOnly, since that's an industry-wide best practice, which helps protect against Cross-Site Request Forgery attacks.

The problem is, it's created automatically by the framework, so I can't simply change an object's property right after calling the constructor, as is the case with all the other cookies.

In Web.config, I've set <httpCookies httpOnlyCookies="true" />, and yet - when I retrieve the session cookie - it is not HttpOnly (its HttpCookie.HttpOnly property is set false). And I don't quite know how to change that.

I couldn't find anything in Microsoft's documentation about Web.config's <sessionState> that would change that. Here on Stack Overflow I only found a four year old question talking about how session cookie is HttpOnly by default, which is the precise opposite for me, and a five days old question asking why session cookie is not HttpOnly by default - which for some inexplicable reason was closed - without a comment - as a duplicate of the former.

I know I can retrieve the session cookie, check it and set HttpOnly=true on every request (or do that less often with a slightly more refined/hackish filter, or set it manually on login, or...), but I'm not a blood-soaked barbarian there has to be a proper way to do this.

So, how do I set the session cookie to HttpOnly?

Community
  • 1
  • 1
Dragomok
  • 604
  • 3
  • 11
  • 29
  • I closed [the second question](http://stackoverflow.com/questions/39624162/why-asp-net-sessionid-cookie-by-default-is-not-httponly) as ***Duplicate***. The accepted [answer](http://stackoverflow.com/a/2247221/296861) is explicitly stated that Session Cookie is ***httponly*** and you cannot modify it. – Win Sep 26 '16 at 18:33
  • 2
    @Win But the problem is, in my project, session cookie is *not* httponly, so either framework did 180 degree turn over 4 years on default properties of the cookie, or there *is* some way to change it and I - or the other dev on my team - has somehow changed it. What I'm trying to say is that reality of my issue and the answer don't match up. – Dragomok Sep 26 '16 at 18:39

1 Answers1

10

Session Cookie will always be httponly. You cannot modify or override it.

when I retrieve the session cookie - it is not HttpOnly (its HttpCookie.HttpOnly property is set false).

var cookie = Request.Cookies["ASP.Net_SessionId"];
if (cookie != null)
{
    var httpOnly = cookie.HttpOnly; // <-- This is always false
}

HttpOnly value is always false at server-side, because client browser does not send back to server whether cookie is in httponly or not.

How can I verify

You can use cookie editor such as Chrome Plugin EditThisCookie.

enter image description here

Win
  • 61,100
  • 13
  • 102
  • 181
  • So it was an XY problem after all. This was the explanation I was looking for. Thank you. – Dragomok Sep 26 '16 at 19:19
  • But I can edit HttpOnly cookies in Chrome -> Application -> Cookies – Ramil Aliyev 007 Feb 12 '21 at 11:59
  • Been a while since this was posted and I figured I'd just note that if I give the session cookie an explicit name, then it does NOT show HttpOnly in Chrome even if I explicitly set it like this: ` var sessionCookie = new CookieBuilder(); sessionCookie.Name = ".MyWebSite"; sessionCookie.HttpOnly=true; sessionCookie.SecurePolicy = CookieSecurePolicy.Always; sessionCookie.SameSite = SameSiteMode.Strict; app.UseSession(new SessionOptions() { Cookie = sessionCookie });` I must be missing something about how to get it work, but it definitely is not defaulting to httponly – EGP Feb 04 '22 at 22:17