asp.net - How is HttpOnly get set for ASP.NET_SessionId cookie?

Question

Welcome To Ask or Share your Answers For Others

asp.net - How is HttpOnly get set for ASP.NET_SessionId cookie?

asked Oct 17, 2021 in Technique[技术] by 深蓝 (71.8m points)

In my web project setting to turn on httpOnlyCookies is not there. It is false by default. Also there is no place in code where cookie is being set to HttpOnly. However, when I browse to the site I can see that ASP.NET_Session cookie is being passed as HttpOnly. How is it set to HttpOnly?

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙；凝视深渊过久,深渊将回以凝视…

551 views

1 Answer

深蓝 · Answer 1 · 2021-10-17T01:15:11+0000

ASP.NET session cookies are HTTP only, regardless of the httpOnlyCookies setting linked to in your question, because this is burned into ASP.NET. You can't override this.

If you dig into the System.Web.SessionState.SessionIDManager class in the System.Web assembly the code for creating the ASP.NET session cookie looks like:

private static HttpCookie CreateSessionCookie(string id)
{
    HttpCookie cookie = new HttpCookie(Config.CookieName, id);
    cookie.Path = "/";
    cookie.HttpOnly = true;   // <-- burned in
    return cookie;
}

Categories

asp.net - How is HttpOnly get set for ASP.NET_SessionId cookie?

Please log in or register to add a comment.

Please log in or register to answer this question.

1 Answer

Please log in or register to add a comment.

Just Browsing Browsing

Most popular tags