Gets or sets a value that specifies whether a cookie is accessible by client-side script.
Syntax
Value
Documentation for this section has not yet been entered.
Remarks
Microsoft Internet Explorer version 6 Service Pack 1 and later supports a cookie property, HttpCookie.HttpOnly, that can help mitigate cross-site scripting threats that result in stolen cookies. Stolen cookies can contain sensitive information identifying the user to the site, such as the ASP.NET session ID or forms authentication ticket, and can be replayed by the attacker in order to masquerade as the user or obtain sensitive information. When an HttpOnly cookie is received by a compliant browser, it is inaccessible to client-side script.
Setting the HttpCookie.HttpOnly property to true does not prevent an attacker with access to the network channel from accessing the cookie directly. Consider using Secure Sockets Layer (SSL) to help protect against this. Workstation security is also important, as a malicious user could use an open browser window or a computer containing persistent cookies to obtain access to a Web site with a legitimate user's identity.
For more information on possible attacks and how this property can help mitigate them, see tp://go.microsoft.com/fwlink/?LinkId=41580.
Requirements
Assembly: System.Web (in System.Web.dll)
Assembly Versions: 2.0.0.0