1

I have tried to enable httpOnly cookies in my WSS 3.0 forms-authentication application using the web.config tag. A Cenzic Hailstorm security scan report claims that cookies are being produced with the flag off, including the .ASPXAUTH cookie, one related to Discovery.asmx, and one related to WSS_AccessibiltyFeature. Here are my questions:

  1. Is there some way the scan could be mistaken?
  2. Is there something I do not understand about how the cookies are created? Are these exempt from the httpOnly flag?
  3. Is there a way to verify myself that the cookies are coming out as httpOnly? I am aware of the Watcher add-on for Fiddler but I have had not been able to get that to work (I am communicating with the developer). Surely there is something else that can examine the cookie.
skaffman
  • 398,947
  • 96
  • 818
  • 769
strongopinions
  • 3,917
  • 3
  • 25
  • 28

1 Answers1

2

Actually, you can use Fiddler to look at the Raw source of your HTTP request. That should tell you about the httpOnly cookies.

See more about this here: http://www.codinghorror.com/blog/archives/001167.html

Gyuri
  • 4,548
  • 4
  • 34
  • 44
  • Thanks, I was able to view the httpOnly flag by examining the raw header. I am still curious as to why Hailstorm is mistaken. I will leave the question open for a while and accept your answer if no one answers the other part of the question. – strongopinions Nov 09 '09 at 23:21
  • I wonder if your cookie was cached: Cacheable Cookies: If the cookie is intended for use by a single user (for private documents), the Set-cookie header should not be cached. To suppress caching of the Set-Cookie header, the origin server should send Cache-control: no-cache="set-cookie" response header. (This is a server side setting) – Gyuri Nov 10 '09 at 00:01
  • IE doesn't actually respect named header values in the Cache-Control directive; sending no-cache there will prevent caching of the response entirely. I don't know whether other browsers do. – EricLaw Nov 10 '09 at 04:49
  • This time the scan did not complain about httpOnly. Maybe it was a caching issue before, but wouldn't the cached version have contained the httpOnly flag anyway? – strongopinions Nov 10 '09 at 19:34