HttpCookie.HttpOnly HttpCookie.HttpOnly HttpCookie.HttpOnly HttpCookie.HttpOnly Property

Definition

Obtient ou définit une valeur qui spécifie si un cookie est accessible par un script côté client. Gets or sets a value that specifies whether a cookie is accessible by client-side script.

public:
 property bool HttpOnly { bool get(); void set(bool value); };
public bool HttpOnly { get; set; }
member this.HttpOnly : bool with get, set
Public Property HttpOnly As Boolean

Property Value

true si le cookie a l'attribut HttpOnly et n'est pas accessible à l'aide d'un script côté client ; sinon, false. true if the cookie has the HttpOnly attribute and cannot be accessed through a client-side script; otherwise, false. La valeur par défaut est false. The default is false.

Examples

L’exemple de code suivant montre comment écrire un HttpOnly cookie et montre comment il n’est pas accessible par le client via ECMAScript.The following code example demonstrates how to write an HttpOnly cookie and shows how it is not accessible by the client through ECMAScript.

<%@ Page Language="C#" %>


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<script runat="server">
    void Page_Load(object sender, EventArgs e)
    {
        // Create a new HttpCookie.
        HttpCookie myHttpCookie = new HttpCookie("LastVisit", DateTime.Now.ToString());

        // By default, the HttpOnly property is set to false 
        // unless specified otherwise in configuration.

        myHttpCookie.Name = "MyHttpCookie";
        Response.AppendCookie(myHttpCookie);

        // Show the name of the cookie.
        Response.Write(myHttpCookie.Name);

        // Create an HttpOnly cookie.
        HttpCookie myHttpOnlyCookie = new HttpCookie("LastVisit", DateTime.Now.ToString());

        // Setting the HttpOnly value to true, makes
        // this cookie accessible only to ASP.NET.

        myHttpOnlyCookie.HttpOnly = true;
        myHttpOnlyCookie.Name = "MyHttpOnlyCookie";
        Response.AppendCookie(myHttpOnlyCookie);

        // Show the name of the HttpOnly cookie.
        Response.Write(myHttpOnlyCookie.Name);
    }
</script>


<html xmlns="http://www.w3.org/1999/xhtml" >
<head runat="server">
    <title>ASP.NET Example</title>
</head>
<body>
<script type="text/javascript">
function getCookie(NameOfCookie)
{
    if (document.cookie.length > 0) 
{ 
    begin = document.cookie.indexOf(NameOfCookie+"="); 
    if (begin != -1)
   { 
    begin += NameOfCookie.length+1; 
      end = document.cookie.indexOf(";", begin);
      if (end == -1) end = document.cookie.length;
      return unescape(document.cookie.substring(begin, end));       
      } 
  }
return null;  
}
</script>

<script type="text/javascript">

    // This code returns the cookie name.
    alert("Getting HTTP Cookie");
    alert(getCookie("MyHttpCookie"));

    // Because the cookie is set to HttpOnly,
    // this returns null.
    alert("Getting HTTP Only Cookie");
    alert(getCookie("MyHttpOnlyCookie"));

</script> 


</body>
</html>
<%@ Page Language="VB" %>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<script runat="server">

  Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs)
    
    ' Create a new HttpCookie.
    Dim myHttpCookie As New HttpCookie("LastVisit", DateTime.Now.ToString())

    ' By default, the HttpOnly property is set to false 
    ' unless specified otherwise in configuration.

    myHttpCookie.Name = "MyHttpCookie"
    Response.AppendCookie(myHttpCookie)

    ' Show the name of the cookie.
    Response.Write(myHttpCookie.Name)

    ' Create an HttpOnly cookie.
    Dim myHttpOnlyCookie As New HttpCookie("LastVisit", DateTime.Now.ToString())

    ' Setting the HttpOnly value to true, makes
    ' this cookie accessible only to ASP.NET.

    myHttpOnlyCookie.HttpOnly = True
    myHttpOnlyCookie.Name = "MyHttpOnlyCookie"
    Response.AppendCookie(myHttpOnlyCookie)

    ' Show the name of the HttpOnly cookie.
    Response.Write(myHttpOnlyCookie.Name)

  End Sub
  
</script>

<html xmlns="http://www.w3.org/1999/xhtml" >
<head runat="server">
    <title>ASP.NET Example</title>
</head>
<body>
<script type="text/javascript">
function getCookie(NameOfCookie)
{
  if (document.cookie.length > 0) 
  { 
    begin = document.cookie.indexOf(NameOfCookie+"="); 
    if (begin != -1)
    { 
    begin += NameOfCookie.length+1; 
      end = document.cookie.indexOf(";", begin);
      if (end == -1) end = document.cookie.length;
      return unescape(document.cookie.substring(begin, end));       
    } 
  }
  return null;  
}
</script>

<script type="text/javascript">

// This code returns the cookie name.
alert("Getting HTTP Cookie");
alert(getCookie("MyHttpCookie"));

// Because the cookie is set to HttpOnly,
// this returns null.
alert("Getting HTTP Only Cookie");
alert(getCookie("MyHttpOnlyCookie"));

</script> 

</body>
</html>

Remarks

Version de Microsoft Internet Explorer 6 Service Pack 1 et versions ultérieures prend en charge une propriété de cookie, HttpOnly, qui permet d’atténuer les menaces de script entre sites qui génèrent des cookies volés.Microsoft Internet Explorer version 6 Service Pack 1 and later supports a cookie property, HttpOnly, that can help mitigate cross-site scripting threats that result in stolen cookies. Les cookies volés peuvent contenir des informations sensibles identifiant l’utilisateur vers le site, telles que l’ASP.NET session ID ou des formulaires ticket d’authentification et peuvent être relues par l’attaquant afin d’usurper l’identité de l’utilisateur ou d’obtenir des informations sensibles.Stolen cookies can contain sensitive information identifying the user to the site, such as the ASP.NET session ID or forms authentication ticket, and can be replayed by the attacker in order to masquerade as the user or obtain sensitive information. Quand un HttpOnly cookie est reçu par un navigateur compatible, il n’est pas accessible à un script côté client.When an HttpOnly cookie is received by a compliant browser, it is inaccessible to client-side script.

Attention

Définition de la HttpOnly propriété true n’empêche pas un pirate ayant accès au canal de réseau d’accéder directement au cookie.Setting the HttpOnly property to true does not prevent an attacker with access to the network channel from accessing the cookie directly. Envisagez d’utiliser Secure Sockets Layer (SSL) pour vous protéger contre cela.Consider using Secure Sockets Layer (SSL) to help protect against this. Sécurité de la station de travail est également importante, comme un utilisateur malveillant peut utiliser une fenêtre de navigateur ouvert ou sur un ordinateur contenant les cookies persistants pour obtenir l’accès à un site Web avec l’identité d’un utilisateur légitime.Workstation security is also important, as a malicious user could use an open browser window or a computer containing persistent cookies to obtain access to a Web site with a legitimate user's identity.

Pour plus d’informations sur les attaques possibles et comment cette propriété peut aider à les atténuer, consultez Mitigating Cross-site Scripting With Cookies HTTP uniquement.For more information on possible attacks and how this property can help mitigate them, see Mitigating Cross-site Scripting With HTTP-only Cookies.

Applies to