.NET Daily


Passive Security Tip: HttpOnly Cookies

Posted on .

Passive Security Tip: HttpOnly Cookies


During a Cross-site Scripting attack an attacker might easily access cookies and hijack the victim’s session.


User opens an email with a newsletter. The code of the image below quickly executes a malicious Javascript code on client’s browser. You can see an example below the image code:

HTML Code:

Javascript Code:


Cookies should be marked as HTTPOnly. HTTPOnly cookies cannot be read by client-side scripts therefore marking a cookie as HTTPOnly can provide an additional layer of protection against Cross-site Scripting attacks.

Below you can find some implementation examples:

If you use default ASP.NET Membership provider, you can mark the cookies from web.config:

If you create cookies from code you can use the following property from cookie object:



Darius Dumitrescu is a creative Senior CMS Consultant with in depth .NET knowledge, focused on Web Development and Architecture Design.

There are no comments.

View Comments (0) ...