HttpOnly Cookies

by dee 15. January 2008 02:04

HttpOnly cookies are a Microsoft extension to the cookie standard. The idea is that cookies marked as httpOnly cannot be accessed from JavaScript. This was implemented to stop cookie stealing through XSS vulnerabilities. This is unlike many people believe not a way to stop XSS vulnerabilities, but a way to stop one of the possible attacks (cookie stealing) that are possible through XSS.

ASP.NET uses that feature by default and thus there is no possibility to access to cookies which are marked as httpOnly (for example "ASP.NET_SessionId") in Internet Explorer. To turn it off add following settings to web.config file:

<system.web>
    <httpCookies httpOnlyCookies="false" />
</system.web>

Tags: , , ,

ASP.NET

E-mail | Kick it! | DZone it! | del.icio.us
Permalink | Comments (0) | Post RSSRSS comment feed

AJAX and error handling

by dee 7. January 2008 18:34

Use followed code to catch AJAX errors:

 

Sys.WebForms.PageRequestManager.getInstance().add_endRequest(EndRequestHandler);

function EndRequestHandler(sender, args)
{
   if (args.get_error() != undefined && args.get_error().httpStatusCode == '500')
   {
       var errorMessage = args.get_error().message;
       args.set_errorHandled(true);
       alert(errorMessage);
   }
}

Tags: , ,

ASP.NET

E-mail | Kick it! | DZone it! | del.icio.us
Permalink | Comments (0) | Post RSSRSS comment feed

Javascript Go-Back

by dee 2. January 2008 17:55

Use history.go(-1) method.

Tags:

ASP.NET

E-mail | Kick it! | DZone it! | del.icio.us
Permalink | Comments (0) | Post RSSRSS comment feed

Powered by BlogEngine.NET 1.4.0.0
Theme by Mads Kristensen