How is HttpOnly get set for ASP.NET_SessionId cookie?

by

ASP.NET session cookies are HTTP only, regardless of the httpOnlyCookies setting linked to in your question, because this is burned into ASP.NET. You can’t override this.

If you dig into the System.Web.SessionState.SessionIDManager class in the System.Web assembly the code for creating the ASP.NET session cookie looks like:

private static HttpCookie CreateSessionCookie(string id)
{
    HttpCookie cookie = new HttpCookie(Config.CookieName, id);
    cookie.Path = "https://stackoverflow.com/";
    cookie.HttpOnly = true;   // <-- burned in
    return cookie;
}

More Related Contents:

  1. Chrome localhost cookie not being set
  2. asp.net cookies, authentication and session timeouts
  3. set cookie to expire at end of session? asp.net
  4. Cache VS Session VS cookies?
  5. ASP.NET Session Cookies – specifying the base domain
  6. I just discovered why all ASP.Net websites are slow, and I am trying to work out what to do about it
  7. Session timeout in ASP.NET
  8. Can some hacker steal a web browser cookie from a user and login with that name on a web site?
  9. ASP.NET: Session.SessionID changes between requests
  10. Asp.Net Forms Authentication when using iPhone UIWebView
  11. asp.net – session – multiple browser tabs – different sessions?
  12. Forms Authentication Timeout vs Session Timeout
  13. What is the difference between Session.Abandon() and Session.Clear()
  14. Preventing CSRF with the same-site cookie attribute
  15. ASP.NET session state provider in Azure [closed]
  16. Get a list of all active sessions in ASP.NET
  17. Session Fixation in ASP.NET
  18. Passing session data between ASP.NET Applications
  19. List all active ASP.NET Sessions
  20. ASP.net session request queuing
  21. Sharing cookies across different domains and different applications (classic ASP and ASP.NET)
  22. How to find out size of session in ASP.NET from web application?
  23. What is the difference between a Session and a Cookie in ASP.net?
  24. ASP.NET Why are sessions timing out, sessionstate timeout set
  25. Session would not retain values and always return null
  26. Can I change the FormsAuthentication cookie name?
  27. IIS Session Timeout vs ASP.NET Session Timeout
  28. Web authentication state – Session vs Cookie?
  29. asp.net session variables on Session_End
  30. Session_End does not fire?

Leave a Comment