question

FANINDRABHORTAKKE-1601 avatar image
0 Votes"
FANINDRABHORTAKKE-1601 asked SuhailSayed-4947 commented

Cookie setting httpOnly for WebApp

Hi Team,

We have web vulnerability scanning tool that detect vulnerability. Tool found below issue.

150123 cookie doesnot contain httpOnly attribute

we tried using below options :

  1. <httpCookies httpOnlyCookies="true" requireSSL="true" /> in web.config


  2. <outboundRules>
    <clear />
    <rule name="Add SameSite" preCondition="No SameSite">
    <match serverVariable="RESPONSE_Set_Cookie" pattern="." negate="false" />
    <action type="Rewrite" value="{R:0}; secure; HttpOnly; SameSite=none" />
    </rule>
    <rule name="Add Strict-Transport-Security only when using HTTPS" enabled="true">
    <match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".
    " />
    <conditions>
    <add input="{HTTPS}" pattern="on" ignoreCase="true" />
    </conditions>
    <action type="Rewrite" value="max-age=31536000; includeSubdomains; preload" />
    </rule>
    <rule name="Remove Server header">
    <match serverVariable="RESPONSE_Server" pattern=".+" />
    <action type="Rewrite" value="" />
    </rule>
    <preConditions>
    <preCondition name="No SameSite">
    <add input="{RESPONSE_Set_Cookie}" pattern="." />
    <add input="{RESPONSE_Set_Cookie}" pattern="; secure; HttpOnly; SameSite=none" negate="true" />
    </preCondition>
    </preConditions>
    </outboundRules>



still our site cookie is not showing httpOnly attribute.



Thanks in advance.





azure-webapps
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

brtrach-MSFT avatar image
0 Votes"
brtrach-MSFT answered SuhailSayed-4947 commented

We apologize you are encountering this issue. Most HttpOnly cookie issues happen with the App Gateway. Since there might be multiple items at play here, we feel it would be best if you are given a free support ticket. Please reach out to us at azcommunity@microsoft.com with your Azure subscription ID so we can work with you further.

We look forward to your reply.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Even we are facing the same issue here, any resolution for it

0 Votes 0 ·