Serge Profafilecebook
Serge Profafilecebook

Reputation: 1205

Make ASP.NET_SessionId cookie not httpOnly

The cookie used for session in ASP.NET MVC is httpOnly (property set to true).

Is there a way to make it not httpOnly?

I want to be able to access this cookie from javascript.

Even if it is less secure than the "What if all the universe stands against me?!" default setting.

Upvotes: 2

Views: 4071

Answers (2)

Norbert Norbertson
Norbert Norbertson

Reputation: 2210

I built a system that uses cookies to store search params across the site. On the home page there are links and I wanted to use jQuery to save a cookie with the item id in it.

But on click the user is then sent to an advanced search page where they can use .net controls to modify the search. The cookies are saved again but they needed to be writable by the js on the home page when the user browsed back.

So I set HttpOnly like this:

var cookie = new HttpCookie(name)
{
   Value = val,
   HttpOnly = false // #DEV search cookies can be modified by JS
};
HttpContext.Current.Response.Cookies.Add(cookie);

Upvotes: 0

alekseevi15
alekseevi15

Reputation: 1782

If you REALLY need it you could try to add this to your Global.asax:

void Application_EndRequest(Object sender, EventArgs e)
{
   if (Response.Cookies.Count > 0)
   {
       foreach (string s in Response.Cookies.AllKeys)
       {
           if (s == "ASP.NET_SessionId")
           {
               Response.Cookies["ASP.NET_SessionId"].HttpOnly = false;
           }
       }
   }    
}

Solution was taken from here.

Upvotes: 5

Related Questions