Make ASP.NET_SessionId cookie not httpOnly
Question
The cookie used for session in ASP.NET MVC is httpOnly (property set to true).
Is there a way to make it not httpOnly?
I want to be able to access this cookie from javascript.
Even if it is less secure than the "What if all the universe stands against me?!" default setting.
2 answers
solution1
3 ACCPTED 2014-12-15 08:58:36
If you REALLY need it you could try to add this to your Global.asax:
void Application_EndRequest(Object sender, EventArgs e)
{
if (Response.Cookies.Count > 0)
{
foreach (string s in Response.Cookies.AllKeys)
{
if (s == "ASP.NET_SessionId")
{
Response.Cookies["ASP.NET_SessionId"].HttpOnly = false;
}
}
}
}
Solution was taken from here .
solution2
0 2015-10-30 11:14:34
I built a system that uses cookies to store search params across the site. On the home page there are links and I wanted to use jQuery to save a cookie with the item id in it.
But on click the user is then sent to an advanced search page where they can use .net controls to modify the search. The cookies are saved again but they needed to be writable by the js on the home page when the user browsed back.
So I set HttpOnly like this:
var cookie = new HttpCookie(name)
{
Value = val,
HttpOnly = false // #DEV search cookies can be modified by JS
};
HttpContext.Current.Response.Cookies.Add(cookie);
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.