Non HttpOnly cookie

gandaldf · May 22, 2016, 11:46am

Hello folks!
I’m trying to create a cookie in my service… I would like to have all my ServiceStack cookie (ss-id and ss-pid) as HttpOnly but my cookie should be JS-readable, so I need to have it not-HttpOnly.

Firstly I’ve tried this way:

Response.SetCookie(new Cookie { Name = "my-cookie", Value = "my-value", Path = "/", Secure = true, HttpOnly = false});

But the final cookie in my browser seems to have the HttpOnly = true anyway (maybe because of Config.AllowNonHttpOnlyCookies = false; ?).

So as second option I’ve tried:

var cookie = string.Format("{0}={1}; path={2}; secure", "my-cookie2", "my-value2", "/");
Response.AddHeader("Set-Cookie", cookie);

…and it seems to work fine.

I’m here to ask if my “maual set-cookie” with AddHeader it’s the right way to have this and why SetCookie function can’t do that.

Thank you very much!

mythz · May 22, 2016, 6:57pm

Yes, this is the reason. You’ll need to change Config.AllowNonHttpOnlyCookies = true;

gandaldf · May 22, 2016, 8:48pm

Mmm… I’ve tried to set Config.AllowNonHttpOnlyCookies = true; but in this way also ss-id and ss-pid cookies will be NonHttp! …and this is not good at all…

Is there something I can do to set NonHttp just to the cookie that I need?

mythz · May 22, 2016, 11:23pm

The link to source code above shows that it requires Config.AllowNonHttpOnlyCookies = true, if you don’t want to do that your manual approach works. The other approach is to set the Cookie on the underlying Response object directly, e.g:

//assuming ASP.NET Host
var aspRes = Response.OrignalResponse as HttpResponseBase;
aspRes.SetCookie(...);

gandaldf · May 23, 2016, 12:52am

Thank you mythz for the explanation, I prefer to keep Config.AllowNonHttpOnlyCookies = false; so I’ll send the cookie from my service using the manual approach!

I have now the need to put the same code in a global response filter; I have tried this way:

public static void MyResponseFilter(IRequest req, IResponse res, object response)
{
    var cookie = string.Format("{0}={1}; path={2}; secure", "my-cookie2", "my-value2", "/");
    res.AddHeader("Set-Cookie", cookie);
}

…but the cookie doesn’t get set.
I can set a cookie from the filter, using this function:

res.SetCookie(new Cookie { Name = "my-cookie", Value = "my-value", Path = "/", HttpOnly = false });

but in this way I can’t set the HttpOnly = false as I would with the manual approach.
Why I can’t have AddHeader to work as in my service? Is there a way to fix that?

mythz · May 23, 2016, 12:56am

Have you tried the inner response suggestion I recommended? Which Host are you using? ASP.NET or self-host? If you’re using ASP.NET, it prohibits setting cookie header manually and wants you to use their explicit HttpResponseBase.SetCookie() API instead.

gandaldf · May 23, 2016, 10:53am

Thank you mythz!
HttpResponseBase.SetCookie() solved my problem; I let here my solution:

public static void MyResponseFilter(IRequest req, IResponse res, object response)
{
    var baseRes = (HttpResponseBase) res.OriginalResponse;

    HttpCookie cookie = new HttpCookie("my-cookie", "my-value");
    cookie.Secure = req.IsSecureConnection;

    baseRes.SetCookie(cookie);
}