.NET Daily

ASP.net

Passive Security Tip: HttpOnly Cookies

Posted on .

Passive Security Tip: HttpOnly Cookies

Introduction

During a Cross-site Scripting attack an attacker might easily access cookies and hijack the victim’s session.

Example

User opens an email with a newsletter. The code of the image below quickly executes a malicious Javascript code on client’s browser. You can see an example below the image code:

HTML Code:

Javascript Code:

Remedy

Cookies should be marked as HTTPOnly. HTTPOnly cookies cannot be read by client-side scripts therefore marking a cookie as HTTPOnly can provide an additional layer of protection against Cross-site Scripting attacks.

Below you can find some implementation examples:

If you use default ASP.NET Membership provider, you can mark the cookies from web.config:

If you create cookies from code you can use the following property from cookie object:

Darius

Darius

Darius Dumitrescu is a creative Senior CMS Consultant with in depth .NET knowledge, focused on Web Development and Architecture Design.

There are no comments.

View Comments (0) ...
Navigation