2

I have a strange problem. I want to check if .ASPXAUTH cookie exists with javascript. I do it like this:

authx = document.cookie.indexOf(".ASPXAUTH" + "=");

and the 'authx' value is always -1. But if I tray to find some other cookie like: 

foo = document.cookie.indexOf("bar" + "=");

it works. Is there some restriction between javascript and .ASPXAUTH cookie???

dani
  • 469
  • 3
  • 12
  • 23
  • well, the first question would be : did you check that the cookie is there ? did you check with firecookie or something, to make sure the cookie is there ? – sirrocco Nov 17 '10 at 08:10
  • Yes, i checked. Cookie is 100% there. – dani Nov 17 '10 at 08:38

1 Answers1

2

I solved it. The problem was, that I had set the 

HttpOnly = true;

which prevents the javascript accessing the cookie. I just set it to false and it works.

dani
  • 469
  • 3
  • 12
  • 23
  • 12
    And of course it's meant to be HTTP only in order to avoid the risk of an XSS flaw grabbing your cookie and allowing your session to be hijacked. You've now opened up a vulnerability in your app. – Troy Hunt Nov 22 '11 at 07:30
  • Where did you set that? JS ? – d.popov Feb 03 '15 at 15:02
  • @d.popov Obviously no!, You can set that in your web.config or (in asp.net mvc) as an attribute for each action method – Dr TJ Apr 05 '16 at 16:43
  • 1
    @DrTJ - maybe for you, but not so obvious for someone reading the question. Neither the question, tags or the answer suggests so. The question even suggests JavaScript context! – d.popov Apr 06 '16 at 08:02