Non HttpOnly cookie

Hello folks!
I’m trying to create a cookie in my service… I would like to have all my ServiceStack cookie (ss-id and ss-pid) as HttpOnly but my cookie should be JS-readable, so I need to have it not-HttpOnly.

Firstly I’ve tried this way:

Response.SetCookie(new Cookie { Name = "my-cookie", Value = "my-value", Path = "/", Secure = true, HttpOnly = false});

But the final cookie in my browser seems to have the HttpOnly = true anyway (maybe because of Config.AllowNonHttpOnlyCookies = false; ?).

So as second option I’ve tried:

var cookie = string.Format("{0}={1}; path={2}; secure", "my-cookie2", "my-value2", "/");
Response.AddHeader("Set-Cookie", cookie);

…and it seems to work fine.

I’m here to ask if my “maual set-cookie” with AddHeader it’s the right way to have this and why SetCookie function can’t do that.

Thank you very much!

Yes, this is the reason. You’ll need to change Config.AllowNonHttpOnlyCookies = true;

Mmm… I’ve tried to set Config.AllowNonHttpOnlyCookies = true; but in this way also ss-id and ss-pid cookies will be NonHttp! …and this is not good at all…

Is there something I can do to set NonHttp just to the cookie that I need?

The link to source code above shows that it requires Config.AllowNonHttpOnlyCookies = true, if you don’t want to do that your manual approach works. The other approach is to set the Cookie on the underlying Response object directly, e.g:

//assuming ASP.NET Host
var aspRes = Response.OrignalResponse as HttpResponseBase;

Thank you mythz for the explanation, I prefer to keep Config.AllowNonHttpOnlyCookies = false; so I’ll send the cookie from my service using the manual approach!

I have now the need to put the same code in a global response filter; I have tried this way:

public static void MyResponseFilter(IRequest req, IResponse res, object response)
    var cookie = string.Format("{0}={1}; path={2}; secure", "my-cookie2", "my-value2", "/");
    res.AddHeader("Set-Cookie", cookie);

…but the cookie doesn’t get set.
I can set a cookie from the filter, using this function:

res.SetCookie(new Cookie { Name = "my-cookie", Value = "my-value", Path = "/", HttpOnly = false }); 

but in this way I can’t set the HttpOnly = false as I would with the manual approach.
Why I can’t have AddHeader to work as in my service? Is there a way to fix that?

Have you tried the inner response suggestion I recommended? Which Host are you using? ASP.NET or self-host? If you’re using ASP.NET, it prohibits setting cookie header manually and wants you to use their explicit HttpResponseBase.SetCookie() API instead.

1 Like

Thank you mythz!
HttpResponseBase.SetCookie() solved my problem; I let here my solution:

public static void MyResponseFilter(IRequest req, IResponse res, object response)
    var baseRes = (HttpResponseBase) res.OriginalResponse;

    HttpCookie cookie = new HttpCookie("my-cookie", "my-value");
    cookie.Secure = req.IsSecureConnection;