HOW TO read cookie placed by ASP.NET using JavaScript
You can retrieve the cookies with JavaScript if you set the HttpOnly property of HttpCookie class to false.
The HttpOnly property gets or sets a true/false value if cookie is accesible by client side javascript. If value is true, cookie will be accessible only by server side ASP.NET code. The default is false. This property is new in the .NET Framework version 2.0. Check the MSDN documentation for a code sample.
If HttpOnly can help mitigate cross-site scripting threats that result in stolen cookies, I wonder why the default value of the property is false.
As per this OWASP article, Opera & Safari do not support HTTPOnly while only some browsers prevent writing to a cookie or reading HttpOnly cookies using XMLHTTPRequest.
Also see: A Web App Is As Secure As You Make It & the Browser It Runs On
The HttpOnly property gets or sets a true/false value if cookie is accesible by client side javascript. If value is true, cookie will be accessible only by server side ASP.NET code. The default is false. This property is new in the .NET Framework version 2.0. Check the MSDN documentation for a code sample.
If HttpOnly can help mitigate cross-site scripting threats that result in stolen cookies, I wonder why the default value of the property is false.
As per this OWASP article, Opera & Safari do not support HTTPOnly while only some browsers prevent writing to a cookie or reading HttpOnly cookies using XMLHTTPRequest.
Also see: A Web App Is As Secure As You Make It & the Browser It Runs On
Comments
Post a Comment