If you&#39;re using ASP.NET 2.0 or greater, you can turn it on in the Web.config file. In the &amp;lt;system.web&amp;gt; section, add the following line:

    &lt;httpCookies httpOnlyCookies=&quot;true&quot;/&gt;




With props to Rick (second comment down in the blog post mentioned), here&#39;s the [MSDN article][1] on httpOnlyCookies.

Bottom line is that you just add the following section in your system.web section in your web.config:

    &lt;httpCookies domain=&quot;&quot; httpOnlyCookies=&quot;true|false&quot; requireSSL=&quot;true|false&quot; /&gt;


  [1]: http://msdn.microsoft.com/en-us/library/system.web.configuration.httpcookiessection.httponlycookies.aspx

If you want to do it in code, use the [System.Web.HttpCookie.HttpOnly](http://msdn.microsoft.com/en-us/library/system.web.httpcookie.httponly.aspx) property.

This is directly from the MSDN docs:

    // Create a new HttpCookie.
    HttpCookie myHttpCookie = new HttpCookie(&quot;LastVisit&quot;, DateTime.Now.ToString());
    // By default, the HttpOnly property is set to false 
    // unless specified otherwise in configuration.
    myHttpCookie.Name = &quot;MyHttpCookie&quot;;
    Response.AppendCookie(myHttpCookie);
    // Show the name of the cookie.
    Response.Write(myHttpCookie.Name);
    // Create an HttpOnly cookie.
    HttpCookie myHttpOnlyCookie = new HttpCookie(&quot;LastVisit&quot;, DateTime.Now.ToString());
    // Setting the HttpOnly value to true, makes
    // this cookie accessible only to ASP.NET.
    myHttpOnlyCookie.HttpOnly = true;
    myHttpOnlyCookie.Name = &quot;MyHttpOnlyCookie&quot;;
    Response.AppendCookie(myHttpOnlyCookie);
    // Show the name of the HttpOnly cookie.
    Response.Write(myHttpOnlyCookie.Name);

Doing it in code allows you to selectively choose which cookies are HttpOnly and which are not.

Interestingly putting `&lt;httpCookies httpOnlyCookies=&quot;false&quot;/&gt;` doesn&#39;t seem to disable `httpOnlyCookies` in ASP.NET 2.0. Check this article about [SessionID and Login Problems With ASP .NET 2.0][1].

Looks like Microsoft took the decision to not allow you to disable it from the web.config. Check this [post on forums.asp.net][2]


  [1]: http://nerd.steveferson.com/2007/09/14/act-sessionid-and-login-problems-with-asp-net-20/
  [2]: http://forums.asp.net/p/976773/1240648.aspx

Since there are no header sections for user controls in asp.net, user controls have no way of knowing about stylesheet files. So css classes in the user controls are not recognized by visual studio and produces warnings. How can I make a user control know that it will relate to a css class, so if it is warning me about a non-existing css class, it means that the class really do not exist?

Edit: Or should I go for a different design like exposing css classes as properties like &quot;HeaderStyle-CssClass&quot; of GridView?

How to make user controls know about css classes in ASP.NET

I&#39;m currently creating an explicit reference to this in the outer class so that I have a name to refer to in the anonymous inner class.  Is there a better way to do this?

How do you get a reference to the enclosing class from an anonymous inner class in Java?

Inspired by this CodingHorror article, &quot;[Protecting Your Cookies: HttpOnly][1]&quot;

How do you set this property? Somewhere in the web config?


  [1]: http://www.codinghorror.com/blog/archives/001167.html

How exactly do you configure httpOnlyCookies in ASP.NET?

<p>Inspired by this CodingHorror article, "<a href="http://www.codinghorror.com/blog/archives/001167.html" target="_blank" rel="noopener noreferrer">Protecting Your Cookies: HttpOnly</a>"</p>
<p>How do you set this property? Somewhere in the web config?</p>


Is anyone using Elmah to send exceptions via email? I&#39;ve got Elmah logging set up via SQL Server, and can view the errors page via the Elmah.axd page, but I am unable to get the email component working. The idea here is to get the email notification so we can react more quickly to exceptions. Here is my web.config (unnecessary sectionss omitted), with all the sensitive data replaced by * * *. Even though I am specifying a server to connect to, does the SMTP service need to be running on the local machine?

    &lt;?xml version=&quot;1.0&quot;?&gt;
    &lt;configuration&gt;
    	&lt;configSections&gt;
            &lt;sectionGroup name=&quot;elmah&quot;&gt;
                &lt;section name=&quot;errorLog&quot; requirePermission=&quot;false&quot; type=&quot;Elmah.ErrorLogSectionHandler, Elmah&quot;/&gt;
                &lt;section name=&quot;errorMail&quot; requirePermission=&quot;false&quot; type=&quot;Elmah.ErrorMailSectionHandler, Elmah&quot;/&gt;
                &lt;section name=&quot;errorFilter&quot; requirePermission=&quot;false&quot; type=&quot;Elmah.ErrorFilterSectionHandler, Elmah&quot;/&gt;
            &lt;/sectionGroup&gt;
    	&lt;/configSections&gt;
    	&lt;appSettings/&gt;
    	&lt;connectionStrings&gt;
            &lt;add name=&quot;elmah-sql&quot; connectionString=&quot;Data Source=***;Initial Catalog=***;Persist Security Info=True;User ID=***;Password=***&quot; /&gt;
        &lt;/connectionStrings&gt;
    
        &lt;elmah&gt;
            &lt;errorLog type=&quot;Elmah.SqlErrorLog, Elmah&quot; connectionStringName=&quot;elmah-sql&quot;   &gt;
            &lt;/errorLog&gt;
            &lt;errorMail from=&quot;test@test.com&quot;
               to=&quot;test@test.com&quot;
               subject=&quot;Application Exception&quot;
               async=&quot;false&quot;
               smtpPort=&quot;25&quot;
               smtpServer=&quot;***&quot;
               userName=&quot;***&quot;
               password=&quot;***&quot;&gt;
            &lt;/errorMail&gt;
        &lt;/elmah&gt;
    
        &lt;system.web&gt;        
            &lt;customErrors mode=&quot;RemoteOnly&quot; defaultRedirect=&quot;CustomError.aspx&quot;&gt;
                &lt;error statusCode=&quot;403&quot; redirect=&quot;NotAuthorized.aspx&quot; /&gt;
                &lt;!--&lt;error statusCode=&quot;404&quot; redirect=&quot;FileNotFound.htm&quot; /&gt;--&gt;
            &lt;/customErrors&gt;
    		&lt;httpHandlers&gt;
    			&lt;remove verb=&quot;*&quot; path=&quot;*.asmx&quot;/&gt;
    			&lt;add verb=&quot;*&quot; path=&quot;*.asmx&quot; validate=&quot;false&quot; type=&quot;System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35&quot;/&gt;
    			&lt;add verb=&quot;*&quot; path=&quot;*_AppService.axd&quot; validate=&quot;false&quot; type=&quot;System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35&quot;/&gt;
    			&lt;add verb=&quot;GET,HEAD&quot; path=&quot;ScriptResource.axd&quot; type=&quot;System.Web.Handlers.ScriptResourceHandler, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35&quot; validate=&quot;false&quot;/&gt;
                &lt;add verb=&quot;POST,GET,HEAD&quot; path=&quot;elmah.axd&quot; type=&quot;Elmah.ErrorLogPageFactory, Elmah&quot; /&gt;
            &lt;/httpHandlers&gt;
    		&lt;httpModules&gt;
    			&lt;add name=&quot;ScriptModule&quot; type=&quot;System.Web.Handlers.ScriptModule, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35&quot;/&gt;
                &lt;add name=&quot;ErrorLog&quot; type=&quot;Elmah.ErrorLogModule, Elmah&quot;/&gt;
            &lt;/httpModules&gt;
    	&lt;/system.web&gt;
    	
    &lt;/configuration&gt;

Send email from Elmah?

I know in certain circumstances, such as long running processes, it is important to lock ASP.NET cache in order to avoid subsequent requests by another user for that resource from executing the long process again instead of hitting the cache.

What is the best way in c# to implement cache locking in ASP.NET?  

What is the best way to lock cache in asp.net?

I need to be able to get at the full URL of the page I am on from a user control.  Is it just a matter of concatenating a bunch of Request variables together?  If so which ones? Or is there a more simpiler way?

How do I get the full url of the page I am on in C#

I found some wild remarks that ASP.NET MVC is 30x faster than ASP.NET WebForms. What real performance difference is there, has this been measured and what are the performance benefits.

This is to help me consider moving from ASP.NET WebForms to ASP.NET MVC.

ASP.NET MVC Performance

How can I set the cookies in my `PHP apps` as `HttpOnly cookies`?

How do you set up use HttpOnly cookies in PHP

Simple example: I want to have some items on a page (like divs or table rows), and I want to let the user click on them to select them. That seems easy enough in jQuery. To save which items a user clicks on with no server-side post backs, I was thinking a cookie would be a simple way to get this done.

1. Is this assumption that a cookie is OK in this case, correct?
2. If it is correct, does the jQuery API have some way to read/write cookie information that is nicer than the default JavaScript APIs?


Can jQuery read/write cookies to a browser?

How do you delete all the cookies for the current domain using JavaScript?

Clearing all cookies with JavaScript

I want to download and parse webpage using python, but to access it I need a couple of cookies set. Therefore I need to login over https to the webpage first. The login moment involves sending two POST params (username, password) to /login.php. During the login request I want to retrieve the cookies from the response header and store them so I can use them in the request to download the webpage /data.php.

How would I do this in python (preferably 2.6)? If possible I only want to use builtin modules.


How to use Python to login to a webpage and retrieve cookies for later usage?

I need to figure out a way uniquely identify each computer which visits the web site I am creating. Does anybody have any advice on how to achieve this? 

Because i want the solution to work on all machines and all browsers (within reason) I am trying to create a solution using javascript.

Cookies will not do. 

I need the ability to basically create a guid which is unique to a computer and repeatable, assuming no hardware changes have happened to the computer. Directions i am thinking of are getting the MAC of the network card and other information of this nature which will id the machine visiting the web site.


How do I uniquely identify computers visiting my web site?

User equals untrustworthy. Never trust untrustworthy user&#39;s input. I get that. However, I am wondering when the best time to sanitize input is. For example, do you blindly store user input and then sanitize it whenever it is accessed/used, or do you sanitize the input immediately and then store this &quot;cleaned&quot; version? Maybe there are also some other approaches I haven&#39;t though of in addition to these. I am leaning more towards the first method, because any data that came from user input must still be approached cautiously, where the &quot;cleaned&quot; data might still unknowingly or accidentally be dangerous. Either way, what method do people think is best, and for what reasons?

When is it best to sanitize user input?

I am not concerned about other kinds of attacks. Just want to know whether HTML Encode can prevent all kinds of XSS attacks.

Is there some way to do an XSS attack even if HTML Encode is used?

Will HTML Encoding prevent all kinds of XSS attacks?

I have PHP configured so that magic quotes are on and register globals are off.

I do my best to always call htmlentities() for anything I am outputing that is derived from user input.

I also occasionally seach my database for common things used in xss attached such as...

    &lt;script

What else should I be doing and how can I make sure that the things I am trying to do are **always** done.

What are the best practices for avoiding xss attacks in a PHP site

Earlier today a question was asked regarding [input validation strategies in web apps][1].

The top answer, at time of writing, suggests in `PHP` just using `htmlspecialchars` and `mysql_real_escape_string`. 

My question is: Is this always enough? Is there more we should know? Where do these functions break down?

  [1]: https://stackoverflow.com/questions/110458/what-percentage-of-my-time-will-be-spent-in-user-input-verfication-during-web-d

Do htmlspecialchars and mysql_real_escape_string keep my PHP code safe from injection?

Does the checkmark at the Http column of Chrome devtool&#39;s Cookie resource panel indicate a HttpOnly cookie?

I can&#39;t find docs that confirm this, though I suspect it is the case. I am trying to verify my app is using HttpOnly for session cookies.

Content Type	Original Author	Original Content on Stackoverflow
Question	Teller	View Question on Stackoverflow
Solution 1 - asp.net	Corey McKinnon	View Answer on Stackoverflow
Solution 2 - asp.net	Dillie-O	View Answer on Stackoverflow
Solution 3 - asp.net	Portman	View Answer on Stackoverflow
Solution 4 - asp.net	Matthew Lock	View Answer on Stackoverflow

How exactly do you configure httpOnlyCookies in ASP.NET?

asp.net Problem Overview

asp.net Solutions

Solution 1 - asp.net

Solution 2 - asp.net

Solution 3 - asp.net

Solution 4 - asp.net

How do you get a reference to the enclosing class from an anonymous inner class in Java?

How to make user controls know about css classes in ASP.NET

Attributions