Learn why Cookies are set with the HttpOnly Attribute. Our IIS Support team is here to assist you with any questions or concerns you may have.

What Happens When Cookies Are Set with the HttpOnly Attribute

Session cookies are often targeted in attacks, making their protection vital for any secure web app.
This is where the `HttpOnly` attribute shines. Let’s dive into what this means, why it matters, and how to implement it effectively.

An Introduction to the `HttpOnly` Attribute

The `HttpOnly` attribute is a flag used in HTTP response headers to instruct the browser that a cookie should not be accessible via client-side scripts such as JavaScript. When this attribute is applied to a cookie, it becomes readable only by the server. This simple restriction can reduce the risk of cross-site scripting (XSS) attacks, which can lead to session hijacking.

For example:

Set-Cookie: sessionId=abc123; HttpOnly; Path=/

In the example above, the `HttpOnly` flag ensures that the `sessionId` cookie cannot be accessed using `document.cookie` or any other client-side method.

What Makes HttpOnly Cookies So Useful?

Cookies often store sensitive data such as session IDs or authentication tokens. If these cookies are accessible via JavaScript, they become easy targets for XSS attacks. Once a malicious script retrieves a user’s session cookie, it can send that data to an attacker’s server, allowing them to impersonate the user.

By setting the `HttpOnly` attribute:

• Cookies become inaccessible to scripts running in the browser.
• Attackers are unable to steal session data using client-side exploits.
• The overall attack surface for session hijacking is significantly reduced.

If you’re troubleshooting issues related to authentication, like HTTP Error 401.3 – Unauthorized, it’s worth verifying how cookies are handled in your IIS configuration. Learn more about fixing HTTP Error 401.3 in IIS.

How to Enable `HttpOnly` in ASP.NET (IIS)

If we are using ASP.NET, we can configure the application to automatically set the `HttpOnly` flag on all cookies by modifying the `web.config` file.

1. First, locate and open the application’s `web.config` file.
2. Then, add the following line inside the “ section:

   
   
   <configuration>
   
   <system.web>
   
   <httpCookies httpOnlyCookies="true" />
   
   </system.web>>
   
   </configuration>
   
   

Setting the `httpOnlyCookies` attribute to `true` ensures that all cookies created by our application will include the `HttpOnly` flag.

While all modern browsers support the `HttpOnly` attribute, older browsers might ignore it or treat such cookies as regular ones.

If you’re configuring other aspects of IIS, like dealing with non-working redirects or rewriting URLs while maintaining query strings, these guides may help:

• IIS redirect not working – Troubleshooting guide

• IIS URL rewrite: Append query string properly

HttpOnly in Java Web Applications

For Java web applications, especially those using JSP or Servlets, session cookies (such as `JSESSIONID`) are typically created by the container. The ability to set the `HttpOnly` attribute on these cookies depends on the container you are using (e.g., Tomcat, Jetty, etc.).

Here are some key points:

• `HttpOnly` cookies must be set by the server.
• They cannot be created or modified via JavaScript.
• Container-specific configuration or filters may be required to enforce the `HttpOnly` attribute on session cookies.

Here’s a conceptual example of setting a cookie with `HttpOnly` in Java:

Cookie cookie = new Cookie("sessionId", "abc123");

cookie.setHttpOnly(true);

response.addCookie(cookie);

[Need assistance with a different issue? Our team is available 24/7.]

Conclusion

Setting the `HttpOnly` attribute is a best practice for securing session data and defending against client-side attacks. It adds an essential layer of protection to our application’s authentication mechanism.

In brief, our Support Experts demonstrated the numerous security benefits of setting cookies with the HttpOnly attribute.