XSS - Session hijacking

Discussion in 'ASP .Net Security' started by Robert Slaney, Feb 5, 2009.

  1. note - using ASP.NET 2.0

    I would like to set the httponly cookie flag on the asp.net sessionid
    cookie. I know I can set this via the httpCookies element in web.config, but
    I don't want to set all cookies to have this flag.

    I have some cached static pages that use values from the cookies in
    javascript so until I can reengineer these pages to remove this I cannot set
    the web.config in this way.

    Does the default asp.net session provider have the ability to set it's
    cookie to HttpOnly ?

    Cheers...

    Rob
    Robert Slaney, Feb 5, 2009
    #1
    1. Advertising

  2. I think that it is set already, FireBug with firecookie shows the HttpOnly
    attribute is on for ASPNET_SessionID.

    "Robert Slaney" wrote:

    > note - using ASP.NET 2.0
    >
    > I would like to set the httponly cookie flag on the asp.net sessionid
    > cookie. I know I can set this via the httpCookies element in web.config, but
    > I don't want to set all cookies to have this flag.
    >
    > I have some cached static pages that use values from the cookies in
    > javascript so until I can reengineer these pages to remove this I cannot set
    > the web.config in this way.
    >
    > Does the default asp.net session provider have the ability to set it's
    > cookie to HttpOnly ?
    >
    > Cheers...
    >
    > Rob
    Robert Slaney, Feb 5, 2009
    #2
    1. Advertising

  3. Robert Slaney

    Steven Cheng Guest

    Hi Rob,

    As for the SessionID cookie, it is generated internally by the default
    sessionIdManager. You can find the internal code logic through reflector.
    Here is the code snippet extract from it:

    ======default SessionIdManager class======

    private static HttpCookie CreateSessionCookie(string id)
    {
    HttpCookie cookie = new HttpCookie(Config.CookieName, id);
    cookie.Path = "/";
    cookie.HttpOnly = true;
    return cookie;
    }

    =================

    As you can see, it explicitly set HttpOnly to true. Also, I've tested the
    session cookie via some javascript, and the javascript code cannot retrieve
    it, that also indicate the cookie is httpOnly and protected from
    client-script.

    Sincerely,

    Steven Cheng

    Microsoft MSDN Online Support Lead


    Delighting our customers is our #1 priority. We welcome your comments and
    suggestions about how we can improve the support we provide to you. Please
    feel free to let my manager know what you think of the level of service
    provided. You can send feedback directly to my manager at:
    .

    ==================================================
    Get notification to my posts through email? Please refer to
    http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.

    --------------------
    >From: =?Utf-8?B?Um9iZXJ0IFNsYW5leQ==?= <Robert >
    >References: <>
    >Subject: RE: XSS - Session hijacking
    >Date: Wed, 4 Feb 2009 18:40:46 -0800


    >
    >I think that it is set already, FireBug with firecookie shows the HttpOnly
    >attribute is on for ASPNET_SessionID.
    >
    >"Robert Slaney" wrote:
    >
    >> note - using ASP.NET 2.0
    >>
    >> I would like to set the httponly cookie flag on the asp.net sessionid
    >> cookie. I know I can set this via the httpCookies element in

    web.config, but
    >> I don't want to set all cookies to have this flag.
    >>
    >> I have some cached static pages that use values from the cookies in
    >> javascript so until I can reengineer these pages to remove this I cannot

    set
    >> the web.config in this way.
    >>
    >> Does the default asp.net session provider have the ability to set it's
    >> cookie to HttpOnly ?
    >>
    >> Cheers...
    >>
    >> Rob

    >
    Steven Cheng, Feb 5, 2009
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mark
    Replies:
    0
    Views:
    472
  2. Kevin

    Session Hijacking?

    Kevin, Oct 26, 2004, in forum: ASP .Net
    Replies:
    3
    Views:
    736
    Kevin
    Oct 27, 2004
  3. Hope Paka
    Replies:
    13
    Views:
    1,086
    =?Utf-8?B?RG9uYWxkIFNjb3R0?=
    Jul 15, 2005
  4. Session Hijacking

    , Feb 9, 2006, in forum: Java
    Replies:
    5
    Views:
    3,017
    JScoobyCed
    Feb 10, 2006
  5. ead_no1
    Replies:
    0
    Views:
    2,960
    ead_no1
    Oct 21, 2006
Loading...

Share This Page