HOW TO read cookie placed by ASP.NET using JavaScript

You can retrieve the cookies with JavaScript if you set the HttpOnly property of HttpCookie class to false.

The HttpOnly property gets or sets a true/false value if cookie is accesible by client side javascript. If value is true, cookie will be accessible only by server side ASP.NET code. The default is false. This property is new in the .NET Framework version 2.0. Check the MSDN documentation for a code sample.

If HttpOnly can help mitigate cross-site scripting threats that result in stolen cookies, I wonder why the default value of the property is false.

As per this OWASP article, Opera & Safari do not support HTTPOnly while only some browsers prevent writing to a cookie or reading HttpOnly cookies using XMLHTTPRequest.

Also see: A Web App Is As Secure As You Make It & the Browser It Runs On

Comments

Popular posts from this blog

Maven Crash Course - Learn Power Query, Power Pivot & DAX in 15 Minutes

"Data Prep & Exploratory Data Analysis" course by Maven Analytics

Oracle Cloud Infrastructure 2024 Generative AI Professional Course & Certification Exam (1Z0-1127-24)