Configure HttpOnly Cookies in ASP Classic and .net with web.config

Do you want to configure httpOnly Cookies in ASP Classic and .net with web.config.

Video

VIDEO – How to make Http Only Cookies Secure – Secure Http only Cookies https://www.youtube.com/watch?v=8wlQt6NRP0g

VIDEO – How to create HTTP Only Cookie https://www.youtube.com/watch?v=19fDUK0FpSQ

For .NET

Use following to make Cookie HTTP only and also Secure

<system.web>
<httpCookies httpOnlyCookies="true" requireSSL="true"/>
</system.web>

Use following to make Cookie HTTP only 

<system.web>
    <httpCookies httpOnlyCookies=”true” />

</system.web>

For Classic ASP include following

<system.webServer>
    <rewrite>
      <outboundRules>
        <rule name="Add HttpOnly">
          <match serverVariable="RESPONSE_Set_Cookie" pattern=".+" />
          <conditions>
            <add input="{R:0}" pattern="; HttpOnly" negate="true" />
          </conditions>
          <action type="Rewrite" value="{R:0}; HttpOnly" />
        </rule>
        <rule name="Add Secure">
          <match serverVariable="RESPONSE_Set_Cookie" pattern=".+" />
          <conditions>
            <add input="{R:0}" pattern="; Secure" negate="true" />
          </conditions>
          <action type="Rewrite" value="{R:0}; Secure" />
        </rule>
      </outboundRules>
    </rewrite>
<system.webServer>

Source https://stackoverflow.com/questions/25676490/using-iis-rewrite-to-add-httponly-flag-to-cookies-not-working

If your application bulit on both Classic ASP and .Net then include both in web.config.

Leave a Reply

Your email address will not be published. Required fields are marked *