Reputation: 9196
How to clear the HttpOnly flag on Cookies?
I seem to be having the reverse problem to a lot of people. Many questions have looked at why their cookies lose the HttpOnly setting. I am trying to work out why mine keeps hanging around.
I am writing a proxy service using ServiceStack to allow jQuery ajax calls to work cross-domain with a server that does not implement JSONP or CORS (don't worry, this is actually a legitimate project). When a response containing a cookie is received, I copy it across to the Response object, as follows:
Incoming cookie:
Set-Cookie: MYAPI=8579...05B1; expires=Thu, 10-Apr-2014 13:08:18 GMT; path=/
As you can see, no HttpOnly flag. I then copy the cookie across as follows:
var cookies = client.CookieContainer.GetCookies(new Uri(apiUrl));
foreach (Cookie cookie in cookies)
{
cookie.HttpOnly = false;
cookie.Domain = "";
Response.Cookies.AddCookie(cookie);
}
And then return the response. All the data comes through correctly, but the cookie ends up as:
Set-Cookie: MYAPI=8579...05B1; expires=Thu, 10-Apr-2014 13:08:18 GMT; path=/; HttpOnly
I have set my web.config with the following:
<httpCookies httpOnlyCookies="false"/>
Any ideas as to why the HttpOnly flag is being set, and how to get around it? I did read somewhere that ServiceStack sets HttpOnly by default, but couldn't see how to un-set it.
Upvotes: 2
Views: 1044
Answers (1)
Reputation: 9196
A configuration setting, AllowNonHttpOnlyCookies has been added to ServiceStack to cope with this situation. The setting defaults to false (enforcing HttpOnly cookies).
Upvotes: 2
Related Questions
- Clear a CookieContainer
- how to remove/update a cookie in cookie container c#?
- HttpOnly always set to true on cookie I add
- ASP Session Cookies Removal
- Is there a way to clear a CookieContainer?
- Setting session cookie to HttpOnly
- How to remove cookie from server side in c#
- c# Get httponly cookie
- Problem with HttpOnly Cookies
- How do you remove HttpOnly cookies?