HttpCookie.HttpOnly HttpCookie.HttpOnly HttpCookie.HttpOnly HttpCookie.HttpOnly Property

Definición

Obtiene o establece un valor que especifica si se puede obtener acceso a una cookie mediante script de cliente.Gets or sets a value that specifies whether a cookie is accessible by client-side script.

public:
 property bool HttpOnly { bool get(); void set(bool value); };
public bool HttpOnly { get; set; }
member this.HttpOnly : bool with get, set
Public Property HttpOnly As Boolean

Valor de propiedad

Es true si la cookie tiene el atributo HttpOnly y no se puede obtener acceso a la misma a través de un script de cliente; de lo contrario, es false.true if the cookie has the HttpOnly attribute and cannot be accessed through a client-side script; otherwise, false. El valor predeterminado es false.The default is false.

Ejemplos

En el ejemplo de código siguiente se muestra cómo escribir un HttpOnly cookie y muestra por qué no es accesible por el cliente a través de ECMAScript.The following code example demonstrates how to write an HttpOnly cookie and shows how it is not accessible by the client through ECMAScript.

<%@ Page Language="C#" %>


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<script runat="server">
    void Page_Load(object sender, EventArgs e)
    {
        // Create a new HttpCookie.
        HttpCookie myHttpCookie = new HttpCookie("LastVisit", DateTime.Now.ToString());

        // By default, the HttpOnly property is set to false 
        // unless specified otherwise in configuration.

        myHttpCookie.Name = "MyHttpCookie";
        Response.AppendCookie(myHttpCookie);

        // Show the name of the cookie.
        Response.Write(myHttpCookie.Name);

        // Create an HttpOnly cookie.
        HttpCookie myHttpOnlyCookie = new HttpCookie("LastVisit", DateTime.Now.ToString());

        // Setting the HttpOnly value to true, makes
        // this cookie accessible only to ASP.NET.

        myHttpOnlyCookie.HttpOnly = true;
        myHttpOnlyCookie.Name = "MyHttpOnlyCookie";
        Response.AppendCookie(myHttpOnlyCookie);

        // Show the name of the HttpOnly cookie.
        Response.Write(myHttpOnlyCookie.Name);
    }
</script>


<html xmlns="http://www.w3.org/1999/xhtml" >
<head runat="server">
    <title>ASP.NET Example</title>
</head>
<body>
<script type="text/javascript">
function getCookie(NameOfCookie)
{
    if (document.cookie.length > 0) 
{ 
    begin = document.cookie.indexOf(NameOfCookie+"="); 
    if (begin != -1)
   { 
    begin += NameOfCookie.length+1; 
      end = document.cookie.indexOf(";", begin);
      if (end == -1) end = document.cookie.length;
      return unescape(document.cookie.substring(begin, end));       
      } 
  }
return null;  
}
</script>

<script type="text/javascript">

    // This code returns the cookie name.
    alert("Getting HTTP Cookie");
    alert(getCookie("MyHttpCookie"));

    // Because the cookie is set to HttpOnly,
    // this returns null.
    alert("Getting HTTP Only Cookie");
    alert(getCookie("MyHttpOnlyCookie"));

</script> 


</body>
</html>
<%@ Page Language="VB" %>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<script runat="server">

  Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs)
    
    ' Create a new HttpCookie.
    Dim myHttpCookie As New HttpCookie("LastVisit", DateTime.Now.ToString())

    ' By default, the HttpOnly property is set to false 
    ' unless specified otherwise in configuration.

    myHttpCookie.Name = "MyHttpCookie"
    Response.AppendCookie(myHttpCookie)

    ' Show the name of the cookie.
    Response.Write(myHttpCookie.Name)

    ' Create an HttpOnly cookie.
    Dim myHttpOnlyCookie As New HttpCookie("LastVisit", DateTime.Now.ToString())

    ' Setting the HttpOnly value to true, makes
    ' this cookie accessible only to ASP.NET.

    myHttpOnlyCookie.HttpOnly = True
    myHttpOnlyCookie.Name = "MyHttpOnlyCookie"
    Response.AppendCookie(myHttpOnlyCookie)

    ' Show the name of the HttpOnly cookie.
    Response.Write(myHttpOnlyCookie.Name)

  End Sub
  
</script>

<html xmlns="http://www.w3.org/1999/xhtml" >
<head runat="server">
    <title>ASP.NET Example</title>
</head>
<body>
<script type="text/javascript">
function getCookie(NameOfCookie)
{
  if (document.cookie.length > 0) 
  { 
    begin = document.cookie.indexOf(NameOfCookie+"="); 
    if (begin != -1)
    { 
    begin += NameOfCookie.length+1; 
      end = document.cookie.indexOf(";", begin);
      if (end == -1) end = document.cookie.length;
      return unescape(document.cookie.substring(begin, end));       
    } 
  }
  return null;  
}
</script>

<script type="text/javascript">

// This code returns the cookie name.
alert("Getting HTTP Cookie");
alert(getCookie("MyHttpCookie"));

// Because the cookie is set to HttpOnly,
// this returns null.
alert("Getting HTTP Only Cookie");
alert(getCookie("MyHttpOnlyCookie"));

</script> 

</body>
</html>

Comentarios

Versión de Microsoft Internet Explorer 6 Service Pack 1 y versiones posteriores admite una propiedad de la cookie, HttpOnly, que puede ayudar a mitigar las amenazas de scripting entre sitios que producen las cookies robadas.Microsoft Internet Explorer version 6 Service Pack 1 and later supports a cookie property, HttpOnly, that can help mitigate cross-site scripting threats that result in stolen cookies. Sustracción de cookies puede contener información confidencial que identifica el usuario para el sitio, como el ASP.NET sesión formularios o Id. de vale de autenticación y se puede reproducir el atacante para hacerse pasar por el usuario u obtener información confidencial.Stolen cookies can contain sensitive information identifying the user to the site, such as the ASP.NET session ID or forms authentication ticket, and can be replayed by the attacker in order to masquerade as the user or obtain sensitive information. Cuando un HttpOnly cookie se recibe un explorador compatible, no es accesible en el script del lado cliente.When an HttpOnly cookie is received by a compliant browser, it is inaccessible to client-side script.

Precaución

Establecer el HttpOnly propiedad true no impide que un atacante con acceso al canal de red acceder directamente a la cookie.Setting the HttpOnly property to true does not prevent an attacker with access to the network channel from accessing the cookie directly. Considere el uso de capa de Sockets seguros (SSL) para ayudar a protegerse contra esto.Consider using Secure Sockets Layer (SSL) to help protect against this. Seguridad de la estación de trabajo también es importante, como un usuario malintencionado podría utilizar una ventana del explorador abierta o en un equipo que contiene las cookies persistentes para obtener acceso a un sitio Web con la identidad de un usuario legítimo.Workstation security is also important, as a malicious user could use an open browser window or a computer containing persistent cookies to obtain access to a Web site with a legitimate user's identity.

Para obtener más información sobre los posibles ataques y cómo puede ayudar a mitigar esta propiedad, vea Mitigating Cross-site Scripting con Cookies sólo HTTP.For more information on possible attacks and how this property can help mitigate them, see Mitigating Cross-site Scripting With HTTP-only Cookies.

Se aplica a