0

I have an application with Angular as the Front end and .net framework 4.7 C# web api as the server side. This is hosted in IIS 10. Now our customer wants to add HttpOnly Flag in the Set-Cookie in the Response Header. When i check the Response Header in the Chrome Dev tools, i could see the below cookie:

Set-Cookie: NSC_mcwt_updpnqfuf-quf_________Jou_=ffffffff09ee746d45525d5f4f58455e445a4a423660;expires=Fri, 15-Nov-2019 06:52:47 GMT;path=/;secure

Now i want to append the "HttpOnly" flag in the existing cookie. So i try to add a cookie using the Rewrite module in the web.config file and it is creating a new Set-Cookie with HttpOnly flag. But I just want to append in the existing Set-Cookie header itself.

Do i need to change anything in the Web.Config file to append the HttpOnly flag or do any change needed in the angular UI side?

Arun vv
  • 31
  • 1
  • 4

1 Answers1

0

As far as I know, you could try to modify the web.config file in your IIS application with enabling HttpOnly flag in IIS to achieve your requirement.

Edit the web.config file of your web application and add the following:

<system.web>
  ...
  <httpCookies httpOnlyCookies="true" requireSSL="true" />
  ...
</system.web>
Brando Zhang
  • 22,586
  • 6
  • 37
  • 65
  • Thanks for the update..I already did that. But it is not updating the existing cookies which is given above. So i have used the iis rewrite module.. But it is creating a new Set-Cookie instead of the existing. – Arun vv Nov 18 '19 at 08:16
  • – Arun vv Nov 18 '19 at 08:17
  • Short answer is : NO, we couldn't do that. Per section [3.3.4 of RFC 2965](https://www.ietf.org/rfc/rfc2965.txt), the user agent does not include the expiration information in the cookie header that is sent to the server. Therefore, there is no way to update an existing cookie's value while retaining the expiration date that was initially set based solely on the information associated with the cookie. – Brando Zhang Nov 20 '19 at 09:28