I think it should just default to setting the cookie.HttpOnly flag
to true at all times, as there is no reason at all for the AuthCookie to
be accessible by client-side script, is there?
James
On 04/10/2013 18:35, James Wright wrote:
Ok, so from looking at the source, I don't where the HttpOnly property
is being set at all (i would have expected it to be with the setting
of the Secure property);
System.Web.Security.FormsAuthentication
public static HttpCookie GetAuthCookie (string userName, bool
createPersistentCookie, string strCookiePath)
{
Initialize ();
if (userName == null)
userName = String.Empty;
if (strCookiePath == null || strCookiePath.Length == 0)
strCookiePath = cookiePath;
DateTime now = DateTime.Now;
DateTime then;
if (createPersistentCookie)
then = now.AddYears (50);
else
then = now.AddMinutes (timeout);
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket (1,
userName,
now,
then,
createPersistentCookie,
String.Empty,
cookiePath);
if (!createPersistentCookie)
then = DateTime.MinValue;
HttpCookie cookie = new HttpCookie (cookieName, Encrypt (ticket),
strCookiePath, then);
if (requireSSL)
cookie.Secure = true;
if (!String.IsN ullOrEmpty (cookie_domain))
cookie.Domain = cookie_domain;
return cookie;
}
Am I missing something?
James
On 04/10/2013 18:25, James Wright wrote:
Nope, it's definitely "httpOnly", as in the browser will not let
client-side script access the cookie (the cookie is only for being
sent with each request).
I think you are thinking of "requireSSL" which instructs the web
browser to only send the cookie over HTTPS and not unencrypted HTTP
connections.
James
On 04/10/2013 17:01, Ian Norton wrote:
Do you mean httpsonly?
On 4 Oct 2013 16:51, "James Wright" <[email protected]
<mailto:[email protected]>> wrote:
Hi,
I've added the following piece of config to my Web.config to
default the FormsAuthentication cookie as HttpOnly;
<system.web>
...
<httpCookies httpOnlyCookies="true" />
...
</system.web>
However the authentication cookie still does not show as being
marked as HttpOnly when looking at it with FireBug.
Is this a known issue or bug in Mono? Have i missed something
obvious?
Thanks,
James
OS: Amazon Linux
Mono: 3.2.0
.NET runtime: 4.5
Framework: ASP.NET <http://ASP.NET> MVC2.0
_______________________________________________
Mono-list maillist - [email protected]
<mailto:[email protected]>
http://lists.ximian.com/mailman/listinfo/mono-list
_______________________________________________
Mono-list maillist [email protected]
http://lists.ximian.com/mailman/listinfo/mono-list
_______________________________________________
Mono-list maillist - [email protected]
http://lists.ximian.com/mailman/listinfo/mono-list
_______________________________________________
Mono-list maillist - [email protected]
http://lists.ximian.com/mailman/listinfo/mono-list
