0

I did an HttpOnly cookie using the article:

https://learn.microsoft.com/pt-br/dotnet/api/system.web.httpcookie.httponly?view=netframework-4.7.2

the creation of HttpOnly cookie is the following:

// Create an HttpOnly cookie.
HttpCookie myHttpOnlyCookie = new HttpCookie("LastVisit", DateTime.Now.ToString());

// Setting the HttpOnly value to true, makes
// this cookie accessible only to ASP.NET.

myHttpOnlyCookie.HttpOnly = true;
myHttpOnlyCookie.Secure = true;
myHttpOnlyCookie.Name = "MyHttpOnlyCookie";
Response.AppendCookie(myHttpOnlyCookie);

// Show the name of the HttpOnly cookie.
Response.Write(myHttpOnlyCookie.Name);

Ok, I saw this article that says: https://latesthackingnews.com/2017/07/03/what-is-httponly-cookie/

HttpOnly tells the browser to save the cookie without displaying it to client-side scripts. A secure flag, on the other hand, forces the browser to send cookies through an encrypted channel such as HTTPS, which stops eavesdropping, especially when an HTTPS connection is downgraded to HTTP through tools such as SSLStrip and so on.

Ok,

but I did an http-only cookie in my .aspx webpage but I could see it through Chrome's cookies file:

C:\Users\<user>\AppData\Local\Google\Chrome\User Data\Default\Cookie

I set the flags:

    myHttpOnlyCookie.HttpOnly = true;
    myHttpOnlyCookie.Secure = true;

Question 1- if HttpOnly tells the browser to save the cookie without displaying it to client-side scripts, why could I access the name of the cookie within Chrome's cookie file?

Question 1.1- Is its content accessible, but just not using scripts?

Question 2- It's silly, but I can't access the HttpOnly cookie via aspx using the code:

HttpContext.Current.Request.Cookies["test_MyHttpOnlyCookietest"]

Is it the only way to access it via server side?

Question 3- When I put myHttpOnlyCookie.Secure = true; I can't acess it via a non HTTPS connection - is that right? Just using https I can access it?

Question 4- If I use myHttpOnlyCookie.Secure = true, there is an encryption and decryption.

How costly is this in processing power?

felipe
  • 1,212
  • 1
  • 15
  • 27
  • `Secure` doesn't encrypt the cookie separately, it just means that the cookie will _not_ be sent over a standard (non-encrypted) HTTP connection. When using HTTPS the cookie is sent as part of the request, and the entire request is encrypted as usual. There is no extra overhead apart from that the request will be a little bit bigger (since you're sending more data). – Visual Vincent Jan 16 '19 at 13:24

1 Answers1

1

Http Only cookies are not exposed to client scripts, of course the browser has access to it since it supposed to send it back to the server.

You can access it using Request object in Asp.net like any other cookie.

Setting "Secure" attribute means that the cookie can be used only in a secure connection i.e. https, so it won't work under http. The overhead of encryption/decryption is not specific to cookie, actually it happens in TCP level for all data transfers, and the overhead is like any other https connection (which are not that much considering today's servers). The size or number of cookies can affect the overhead because the data is being transferred in any call.

Heydar Semyari
  • 41
  • 3