Hello folks!
I’m trying to create a cookie in my service… I would like to have all my ServiceStack cookie (ss-id and ss-pid) as HttpOnly but my cookie should be JS-readable, so I need to have it not-HttpOnly.
Firstly I’ve tried this way:
Response.SetCookie(new Cookie { Name = "my-cookie", Value = "my-value", Path = "/", Secure = true, HttpOnly = false});
But the final cookie in my browser seems to have the HttpOnly = true anyway (maybe because of Config.AllowNonHttpOnlyCookies = false; ?).
Mmm… I’ve tried to set Config.AllowNonHttpOnlyCookies = true; but in this way also ss-id and ss-pid cookies will be NonHttp! …and this is not good at all…
Is there something I can do to set NonHttp just to the cookie that I need?
The link to source code above shows that it requires Config.AllowNonHttpOnlyCookies = true, if you don’t want to do that your manual approach works. The other approach is to set the Cookie on the underlying Response object directly, e.g:
//assuming ASP.NET Host
var aspRes = Response.OrignalResponse as HttpResponseBase;
aspRes.SetCookie(...);
Thank you mythz for the explanation, I prefer to keep Config.AllowNonHttpOnlyCookies = false; so I’ll send the cookie from my service using the manual approach!
I have now the need to put the same code in a global response filter; I have tried this way:
…but the cookie doesn’t get set.
I can set a cookie from the filter, using this function:
res.SetCookie(new Cookie { Name = "my-cookie", Value = "my-value", Path = "/", HttpOnly = false });
but in this way I can’t set the HttpOnly = false as I would with the manual approach.
Why I can’t have AddHeader to work as in my service? Is there a way to fix that?
Have you tried the inner response suggestion I recommended? Which Host are you using? ASP.NET or self-host? If you’re using ASP.NET, it prohibits setting cookie header manually and wants you to use their explicit HttpResponseBase.SetCookie() API instead.