user746627
user746627

Reputation: 11

Set HttpOnly for all cookies in sub folders/directories

I am using IIS URLRewrite to add the HttpOnly option to all outgoing requests, except it is not add this for requests to for example my ./images/ folder where a cookie is set.

Result: Set-Cookie: ASPSESSIONIDQECSBATA=KGBFCMFABKMKPHBLFJHPNEJN; secure; path=/

My outbound rule:

<outboundRules>
        <rule name="Add HttpOnly" preCondition="No HttpOnly">
          <match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
          <action type="Rewrite" value="{R:0}; HttpOnly" />
          <conditions>
          </conditions>
        </rule>
        <preConditions>
          <preCondition name="No HttpOnly">
            <add input="{RESPONSE_Set_Cookie}" pattern="." />
            <add input="{RESPONSE_Set_Cookie}" pattern="; HttpOnly" negate="true" />
          </preCondition>
        </preConditions>

How do I get the HttpOnly flag added to the cookie being set for my images folder?

Upvotes: 1

Views: 1939

Answers (1)

AJB
AJB

Reputation: 11

Put the outbound rule at the server level. This will go in the applicationHost.config and apply it to all sites on that server.

Upvotes: 1

Related Questions