Use of HTTPOnly cookie attribute

A cookie can be marked as HTTPOnly , to indicate that the cookie is
"non-scriptable" and should not be revealed to the client application, for
security reasons. Within Windows Internet, this means that the cookie cannot
be retrieved through the InternetGetCookie function.
If Internet Explorer 6.0 SP1 detects a cookie marked HttpOnly and some
client side script code, such as JavaScript, attempts to read the cookie
(document.cookie, for example), Internet Explorer returns an empty string,
thus preventing the attack by preventing the malicious code in the XSS
attack from sending the data back to a malicious site. Of course, the cookie
is passed to and from the originating server as normal; the browser using
script code just can't read it.

Web browsers that do not support the HttpOnly cookie attribute either ignore
the cookie or ignore the attribute, which means it is still subject to XSS
attacks.

The System.Net.Cookie class does not currently support an HttpOnly property.
To add an HttpOnly attribute to the cookie, you need to use an ISAPI filter,
or if you
want a managed code solution, add the following code to your application’s
Application_EndRequest event handler in Global.asax:

protected void Application_EndRequest(Object sender, EventArgs e)
{
string authCookie = FormsAuthentication.FormsCookieName;
foreach (string sCookie in Response.Cookies)
{
// Just set the HttpOnly attribute on the Forms authentication cookie
// Skip this check to set the attribute on all cookies in the collection
if (sCookie.Equals(authCookie))
{
// Force HttpOnly to be added to the cookie header
Response.Cookies[sCookie].Path += ";HttpOnly";
}
}
}

A future version of the .NET Framework is likely to have an HttpOnly
property on the Cookie class.

_________________________________________________________________
Are you a cricket freak? CDs, books, and more goodies!
http://www.msn.co.in/Shopping/CricketShop/ Available at the cricket shop!