<body><script type="text/javascript"> function setAttributeOnload(object, attribute, val) { if(window.addEventListener) { window.addEventListener('load', function(){ object[attribute] = val; }, false); } else { window.attachEvent('onload', function(){ object[attribute] = val; }); } } </script> <div id="navbar-iframe-container"></div> <script type="text/javascript" src="https://apis.google.com/js/plusone.js"></script> <script type="text/javascript"> gapi.load("gapi.iframes:gapi.iframes.style.bubble", function() { if (gapi.iframes && gapi.iframes.getContext) { gapi.iframes.getContext().openChild({ url: 'https://www.blogger.com/navbar.g?targetBlogID\x3d8211560\x26blogName\x3dTech+Tips,+Tricks+%26+Trivia\x26publishMode\x3dPUBLISH_MODE_BLOGSPOT\x26navbarType\x3dBLUE\x26layoutType\x3dCLASSIC\x26searchRoot\x3dhttp://mvark.blogspot.com/search\x26blogLocale\x3den\x26v\x3d2\x26homepageUrl\x3dhttp://mvark.blogspot.com/\x26vt\x3d-5147029996388199615', where: document.getElementById("navbar-iframe-container"), id: "navbar-iframe" }); } }); </script>

Tech Tips, Tricks & Trivia

by 'Anil' Radhakrishna
An architect's notes, experiments, discoveries and annotated bookmarks.

Search from over a hundred HOW TO articles, Tips and Tricks


HOW TO read cookie placed by ASP.NET using JavaScript

You can retrieve the cookies with JavaScript if you set the HttpOnly property of HttpCookie class to false.

The HttpOnly property gets or sets a true/false value if cookie is accesible by client side javascript. If value is true, cookie will be accessible only by server side ASP.NET code. The default is false. This property is new in the .NET Framework version 2.0. Check the MSDN documentation for a code sample.

If HttpOnly can help mitigate cross-site scripting threats that result in stolen cookies, I wonder why the default value of the property is false.

As per this OWASP article, Opera & Safari do not support HTTPOnly while only some browsers prevent writing to a cookie or reading HttpOnly cookies using XMLHTTPRequest.

Also see: A Web App Is As Secure As You Make It & the Browser It Runs On

Labels: , ,

Tweet this | Google+ it | Share on FB

« Home | Next »
| Next »
| Next »
| Next »
| Next »
| Next »
| Next »
| Next »
| Next »
| Next »

»

Post a Comment