Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > XSS - Session hijacking

Reply
Thread Tools

XSS - Session hijacking

 
 
Robert Slaney
Guest
Posts: n/a
 
      02-05-2009
note - using ASP.NET 2.0

I would like to set the httponly cookie flag on the asp.net sessionid
cookie. I know I can set this via the httpCookies element in web.config, but
I don't want to set all cookies to have this flag.

I have some cached static pages that use values from the cookies in
javascript so until I can reengineer these pages to remove this I cannot set
the web.config in this way.

Does the default asp.net session provider have the ability to set it's
cookie to HttpOnly ?

Cheers...

Rob
 
Reply With Quote
 
 
 
 
Robert Slaney
Guest
Posts: n/a
 
      02-05-2009
I think that it is set already, FireBug with firecookie shows the HttpOnly
attribute is on for ASPNET_SessionID.

"Robert Slaney" wrote:

> note - using ASP.NET 2.0
>
> I would like to set the httponly cookie flag on the asp.net sessionid
> cookie. I know I can set this via the httpCookies element in web.config, but
> I don't want to set all cookies to have this flag.
>
> I have some cached static pages that use values from the cookies in
> javascript so until I can reengineer these pages to remove this I cannot set
> the web.config in this way.
>
> Does the default asp.net session provider have the ability to set it's
> cookie to HttpOnly ?
>
> Cheers...
>
> Rob

 
Reply With Quote
 
 
 
 
Steven Cheng
Guest
Posts: n/a
 
      02-05-2009
Hi Rob,

As for the SessionID cookie, it is generated internally by the default
sessionIdManager. You can find the internal code logic through reflector.
Here is the code snippet extract from it:

======default SessionIdManager class======

private static HttpCookie CreateSessionCookie(string id)
{
HttpCookie cookie = new HttpCookie(Config.CookieName, id);
cookie.Path = "/";
cookie.HttpOnly = true;
return cookie;
}

=================

As you can see, it explicitly set HttpOnly to true. Also, I've tested the
session cookie via some javascript, and the javascript code cannot retrieve
it, that also indicate the cookie is httpOnly and protected from
client-script.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
http://www.velocityreviews.com/forums/(E-Mail Removed).

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/en-us/subs...#notifications.

--------------------
>From: =?Utf-8?B?Um9iZXJ0IFNsYW5leQ==?= <Robert (E-Mail Removed)>
>References: <(E-Mail Removed)>
>Subject: RE: XSS - Session hijacking
>Date: Wed, 4 Feb 2009 18:40:46 -0800


>
>I think that it is set already, FireBug with firecookie shows the HttpOnly
>attribute is on for ASPNET_SessionID.
>
>"Robert Slaney" wrote:
>
>> note - using ASP.NET 2.0
>>
>> I would like to set the httponly cookie flag on the asp.net sessionid
>> cookie. I know I can set this via the httpCookies element in

web.config, but
>> I don't want to set all cookies to have this flag.
>>
>> I have some cached static pages that use values from the cookies in
>> javascript so until I can reengineer these pages to remove this I cannot

set
>> the web.config in this way.
>>
>> Does the default asp.net session provider have the ability to set it's
>> cookie to HttpOnly ?
>>
>> Cheers...
>>
>> Rob

>


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Session Hijacking vjmaker78@gmail.com Java 5 02-10-2006 12:33 AM
Is the way i do, secure enought to avoid session hijacking Hope Paka ASP .Net 13 07-15-2005 02:23 PM
XSS Clementine Computer Security 1 06-25-2005 11:58 AM
asp.net XSS protection Aaron ASP .Net 1 04-19-2005 08:54 AM
Session Hijacking? Kevin ASP .Net 3 10-27-2004 11:49 AM



Advertisments