Added HttpOnly to all cookies #3170
Conversation
|
Hi @scottbommarito, I'm your friendly neighborhood .NET Foundation Pull Request Bot (You can call me DNFBOT). Thanks for your contribution! The agreement was validated by .NET Foundation and real humans are currently evaluating your PR. TTYL, DNFBOT; |
|
Some reading material: https://www.troyhunt.com/c-is-for-cookie-h-is-for-hacker/ Seems good, although we may want to set it in Web.config instead? |
|
@maartenba Added it to the Web.config. Do we want to add |
|
(forgot to tag people) |
| @@ -52,7 +52,9 @@ public FormsAuthenticationService(IAppConfiguration configuration) | |||
| if (_configuration.RequireSSL) | |||
| { | |||
| // Drop a second cookie indicating that the user is logged in via SSL (no secret data, just tells us to redirect them to SSL) | |||
| context.Response.Cookies.Add(new HttpCookie(ForceSSLCookieName, "true")); | |||
| HttpCookie responseCookie = new HttpCookie(ForceSSLCookieName, "true"); | |||
| responseCookie.HttpOnly = true; | |||
There was a problem hiding this comment.
do you still need to specify this here and above after making change in web.config?
There was a problem hiding this comment.
technically no, but it doesn't hurt to be extra cautious.
There was a problem hiding this comment.
If its not required no point in adding it. I would prefer it be removed and declared at single position. Keeps it easy to maintain.
|
Looks good. |
|
|
https://devdiv.visualstudio.com/DevDiv/_workitems?id=244714&_a=edit
Not sure how necessary any of this is, but now every usage of HttpCookie sets HttpOnly to true.