httpCookies Element (ASP.NET Settings Schema)

Article
12/21/2012

Configures properties for cookies used by a Web application.

configuration Element (General Settings Schema)
system.web Element (ASP.NET Settings Schema)
httpCookies Element (ASP.NET Settings Schema)

<httpCookies domain="String" 
             httpOnlyCookies="true|false" 
             requireSSL="true|false" />

Attributes and Elements

The following sections describe attributes, child elements, and parent elements.

Attributes

Attribute	Description
domain	Optional String attribute. Sets the cookie domain name.
httpOnlyCookies	Optional Boolean attribute. Enables output of the HttpOnlyCookies cookie in Internet Explorer 6 SP1. Default value is false.
requireSSL	Optional Boolean attribute. Sets a value indicating whether Secure Sockets Layer (SSL) communication is required. Default value is false. Note This setting is overridden by any other feature that exposes the requireSSL configuration (for example: the forms Element for authentication (ASP.NET Settings Schema)).

domain

Optional String attribute.

Sets the cookie domain name.

httpOnlyCookies

Optional Boolean attribute.

Enables output of the HttpOnlyCookies cookie in Internet Explorer 6 SP1.

Default value is false.

requireSSL

Optional Boolean attribute.

Sets a value indicating whether Secure Sockets Layer (SSL) communication is required.

Default value is false.

Note

This setting is overridden by any other feature that exposes the requireSSL configuration (for example: the forms Element for authentication (ASP.NET Settings Schema)).

Child Elements

None.

Parent Elements

Element	Description
configuration	The required root element in every configuration file used by the common language runtime and .NET Framework applications.
system.web	Specifies the root element for the ASP.NET configuration settings in a configuration file. Contains configuration elements that configure ASP.NET Web applications and control how the applications behave.

Remarks

Internet Explorer added support in Internet Explorer 6 SP1 for a cookie property called HttpOnlyCookies that can help mitigate cross-site scripting threats that result in stolen cookies. When a cookie that has HttpOnlyCookies set to true is received by a compliant browser, it is inaccessible to client-side script. For more information on possible attacks and how this cookie property can help mitigate them, please see Mitigating Cross-Site Scripting with HTTP-Only Cookies tutorial on MSDN.

Default Configuration

The following default httpCookies element is not explicitly configured in the machine configuration file or in the root Web.config file, but is the default configuration returned by an application in the .NET Framework version 2.0.

<httpCookies httpOnlyCookies="false" 
  requireSSL="false" 
  domain="" />

Example

The following example configures cookies for an ASP.NET application.

<httpCookies httpOnlyCookies="false" 
  requireSSL="false" />

Element Information

Configuration Section Handler	System.Web.Configuration.HttpCookiesSection
Configuration Member	SystemWebSectionGroup.HttpCookies
Configurable Locations	Machine.config Root level Web.config Application level Web.config Virtual or physical directory level Web.config
Requirements	IIS version 5.0, IIS version 5.1, or IIS version 6.0 .NET Framework version 1.0, .NET Framework 1.1, or .NET Framework 2.0 Visual Studio 2003, or Visual Studio 2005

httpCookies Element (ASP.NET Settings Schema)

Attributes and Elements

Attributes

Child Elements

Parent Elements

Remarks

Default Configuration

Example

Element Information

See Also

Tasks

Reference

Concepts

Other Resources

Additional resources