HttpCookie.HttpOnly Property using MVC, how to set as False ? RRS feed

  • Question

  • Hello, (Not sure if this is the right place to post)

    When we run a security scan on our site we get an error of "Session Cookie Does Not Contain the "Secure" Attribute" ( This could allow a man-in-the-middle attack)
    Screen Shot: https://www.screencast.com/t/1cEiBQ1Zelb

    Here is how it looks when using a cookie tool.. https://www.screencast.com/t/KXZxfflN 

    It shows the cookie as only allowing over http but we need it over httpS

    In my searching I find statements of how its to be set in code... such as on MSDN https://msdn.microsoft.com/en-us/library/system.web.httpcookie.httponly(v=vs.110).aspx ...
    But my developer tells me "That link won't work. It is only applicable to webforms. We are using mvc"

    So how to fix this this when using MVC?

    Shane Weddle

    Thursday, February 15, 2018 5:45 PM

All replies

  • Hi swaddle,

    Welcome to the MSDN forum.

    This forum is discussing Visual Studio WPF/SL Designer, Visual Studio Guidance Automation Toolkit, Developer Documentation and Help System, and Visual Studio Editor.

    According to your description, your issue is related to MVC, I suggest you could repost a new thread to the following forum for a professional answer.


    Thanks for your understanding.



    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    • Proposed as answer by Judy ZhuY Monday, February 19, 2018 1:43 AM
    Friday, February 16, 2018 2:31 AM