Help Stop Cross-Site Scripting Attacks with HttpOnly Cookies

Posted: September 9, 2009 in ASP, ASP.Net, Forums
Tags:

Did you know that there’s a simple little change you can make in the way you handle cookies that can help prevent your users from falling victim to a cross-site scripting attack? Implementing HttpOnly cookies is quick, easy, and goes a long way towards making your application safer for everyone.

HttpOnly cookies behave exactly like regular cookies with one important difference: they cannot be accessed by client-side script running in the user’s browser. This doesn’t seem like a big difference until you realize that many cross-site scripting exploits depend on this very capability.

As long as you’re running .NET 2.0 or higher, you can enable HttpOnly cookies in a couple different ways. The easiest is to simply edit your application’s Web.config file. Setting the value of the httpOnlyCookies attribute of the httpCookies element to true will convert all the cookies your application sends to the HttpOnly flavor.

You can also do the same thing for individual cookies that you set via code. It couldn’t be much easier as you can see in the following listing:

Dim myCookie As HttpCookie
myCookie = New HttpCookie(“LastVisit”, DateTime.Now.ToString())
myCookie.HttpOnly = True
Response.AppendCookie(myCookie)

Now for the bad news: HttpOnly cookies only work in relatively new browsers. Older browsers will either treat them as regular cookies or ignore them altogether. If you happen to have a user base which is particularly behind the times, you’ll need to do some testing to see how your application behaves in their browser(s) of choice.

For more information, you may find the following links useful:

Mitigating Cross-Site Scripting With HTTP-Only Cookies
ASP.NET Settings Schema: httpCookies Element
.NET Framework Class Library: HttpCookie.HttpOnly Property

Update: HttpOnly Cookies in ASP.NET 1.x and Classic ASP

I’ve gotten a number of email from users anxious to use HttpOnly cookies in their legacy Web projects. Rest assured, you can get the same HttpOnly functionality regardless of your server side tool of choice… it’s just takes a little more work.

For those of you using ASP.NET 1.x, try this code:

Dim myCookie As HttpCookie
myCookie = New HttpCookie(“LastVisit”, DateTime.Now.ToString())
myCookie.Path += “; HttpOnly”
Response.AppendCookie(myCookie)

It’s a little bit of a hack, but it should work in most cases. The only situation I can think of that might cause a problem is if your cookies are flagged as secure.

In classic ASP it’s a little more difficult. You can’t really use the Cookie object to accomplish the task, so you’ll need to resort to brute force and use the Response.AddHeader method to set the cookie.

Response.AddHeader “Set-Cookie”, “CookieName=CookieValue; path=/; HttpOnly”

As you can see, HttpOnly cookies aren’t just for developers lucky enough to be using the latest version of ASP.NET. With a few tweaks you can use you can use them with whichever server-side technology you prefer.

Advertisements
Comments
  1. Kelli Garner says:

    Really nice posts. I will be checking back here regularly.

  2. It’s remarkable in favor of me to have a web site, which is good in favor of my know-how. thanks admin

  3. I don’t even know the way I ended up here, however I thought this submit was great.
    I don’t realize who you might be however certainly you
    are going to a well-known blogger in the event you aren’t
    already. Cheers!

  4. I’m extremely pleased to uncover this page. I
    wanted to thank you for ones time due to this wonderful read!!
    I definitely appreciated every bit of it and I have you book-marked to check out new stuff on your blog.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s