ASP.NET cookies accessible from client-side scripts
Description
This application does not set the HttpOnly flag on its cookies. When the HttpOnly attribute is not enabled, cookies can be accessed by client-side scripts such as JavaScript or VBScript running in the user's browser. This configuration weakness removes an important defense-in-depth protection against Cross-Site Scripting (XSS) attacks, as attackers who successfully inject malicious scripts can read and exfiltrate session cookies and other sensitive cookie data.
Remediation
Enable the HttpOnly attribute for all cookies to prevent client-side scripts from accessing them. This can be configured globally in the application's web.config file or set individually for specific cookies.
Global Configuration (Recommended):
Add or modify the <httpCookies> element in your web.config file:
<configuration>
<system.web>
<httpCookies httpOnlyCookies="true" requireSSL="true" />
</system.web>
</configuration>Individual Cookie Configuration:
When creating cookies programmatically in your code, explicitly set the HttpOnly property:
HttpCookie cookie = new HttpCookie("MyCookie", "value");
cookie.HttpOnly = true;
cookie.Secure = true; // Also recommended for HTTPS sites
Response.Cookies.Add(cookie);After implementing this change, verify that cookies are properly configured by inspecting them in browser developer tools to confirm the HttpOnly flag is set.