.NET Daily


Passive Security Tip: HttpOnly Cookies

Posted on .

Passive Security Tip: HttpOnly Cookies


During a Cross-site Scripting attack an attacker might easily access cookies and hijack the victim’s session.


User opens an email with a newsletter. The code of the image below quickly executes a malicious Javascript code on client’s browser. You can see an example below the image code:

HTML Code:

<img src=""http://www.a.com/a.jpg<script type=text/javascript 
src="">" /><img 

Javascript Code:



Cookies should be marked as HTTPOnly. HTTPOnly cookies cannot be read by client-side scripts therefore marking a cookie as HTTPOnly can provide an additional layer of protection against Cross-site Scripting attacks.

Below you can find some implementation examples:

If you use default ASP.NET Membership provider, you can mark the cookies from web.config:

    <compilation debug="true" targetFramework="4.0" />

    <httpCookies httpOnlyCookies="true" requireSSL="true"/>

If you create cookies from code you can use the following property from cookie object:

    HttpCookie cookie = new HttpCookie(Config.CookieName, id);
    cookie.Path = "/";
    cookie.HttpOnly = true;   // <-- burned in
    return cookie;


Darius Dumitrescu is a creative Senior CMS Consultant with in depth .NET knowledge, focused on Web Development and Architecture Design.

There are no comments.

View Comments (0) ...

Privacy Preference Center