This documentation is archived and is not being maintained.

HttpCookie.HttpOnly Property

Note: This property is new in the .NET Framework version 2.0.

Gets or sets a value that specifies whether a cookie is accessible by client-side script.

Namespace: System.Web
Assembly: System.Web (in system.web.dll)

public bool HttpOnly { get; set; }
/** @property */
public boolean get_HttpOnly ()

/** @property */
public void set_HttpOnly (boolean value)

public function get HttpOnly () : boolean

public function set HttpOnly (value : boolean)

Property Value

true if the cookie has the HttpOnly attribute and cannot be accessed through a client-side script; otherwise, false. The default is false.

Microsoft Internet Explorer version 6 Service Pack 1 and later supports a cookie property, HttpOnly, that can help mitigate cross-site scripting threats that result in stolen cookies. Stolen cookies can contain sensitive information identifying the user to the site, such as the ASP.NET session ID or forms authentication ticket, and can be replayed by the attacker in order to masquerade as the user or obtain sensitive information. When an HttpOnly cookie is received by a compliant browser, it is inaccessible to client-side script.

Caution noteCaution

Setting the HttpOnly property to true does not prevent an attacker with access to the network channel from accessing the cookie directly. Consider using Secure Sockets Layer (SSL) to help protect against this. Workstation security is also important, as a malicious user could use an open browser window or a computer containing persistent cookies to obtain access to a Web site with a legitimate user's identity.

For more information on possible attacks and how this property can help mitigate them, see Mitigating Cross-site Scripting With HTTP-only Cookies.

The following code example demonstrates how to write an HttpOnly cookie and shows how it is not accessible by the client through ECMAScript.

<%@ Page Language="C#" %>

<script runat="server">
    void Page_Load(object sender, EventArgs e)
        // Create a new HttpCookie.
        HttpCookie myHttpCookie = new HttpCookie("LastVisit", DateTime.Now.ToString());

        // By default, the HttpOnly property is set to false 
        // unless specified otherwise in configuration.

        myHttpCookie.Name = "MyHttpCookie";

        // Show the name of the cookie.

        // Create an HttpOnly cookie.
        HttpCookie myHttpOnlyCookie = new HttpCookie("LastVisit", DateTime.Now.ToString());

        // Setting the HttpOnly value to true, makes
        // this cookie accessible only to ASP.NET.

        myHttpOnlyCookie.HttpOnly = true;
        myHttpOnlyCookie.Name = "MyHttpOnlyCookie";

        // Show the name of the HttpOnly cookie.

function getCookie(NameOfCookie)
    if (document.cookie.length > 0) 
    begin = document.cookie.indexOf(NameOfCookie+"="); 
    if (begin != -1)
    begin += NameOfCookie.length+1; 
      end = document.cookie.indexOf(";", begin);
      if (end == -1) end = document.cookie.length;
      return unescape(document.cookie.substring(begin, end));       
return null;  


    // This code returns the cookie name.
    alert("Getting HTTP Cookie");

    // Because the cookie is set to HttpOnly,
    // this returns null.
    alert("Getting HTTP Only Cookie");



Windows 98, Windows 2000 SP4, Windows Server 2003, Windows XP Media Center Edition, Windows XP Professional x64 Edition, Windows XP SP2, Windows XP Starter Edition

The .NET Framework does not support all versions of every platform. For a list of the supported versions, see System Requirements.

.NET Framework

Supported in: 2.0