Jeff Sanders Technical Blog

I am a Microsoft employee that has worked on all aspects of the Web Stack for a long time. I hope these blogs are useful to you! Use this information at your own risk.


<< Go Back

Understanding The New Wininet Flag Internet_cookie_httponly

- 04 Jun 2009

There are a couple of new Cookie flags introduced with the Internet Explorer 8 WinInet.dll.  The INTERNET_COOKIE_HTTPONLY flag allows you to read the HttpOnly cookies in your WinInet Code.  This flag is documented here: http://msdn.microsoft.com/en-us/library/aa384714(VS.85).aspx.  As always, I like to see examples of how this flag works!

Here is a sample ASPX page to create some standard and httponly cookies:

aspx code listing for sample (Copy Code):<div style="BACKGROUND-COLOR: #e0e0e0" id=httponlycookiesection1>

<%@ Page Language=”C#” %>

<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN”
    “http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd“>
<script runat=”server”>
    void Page_Load(object sender, EventArgs e)
    {
        // Create a new HttpCookie.
        HttpCookie myHttpCookie = new HttpCookie(“LastVisit”, “sometime”);
 myHttpCookie.Expires = DateTime.Now.AddYears(1);

        // By default, the HttpOnly property is set to false
        // unless specified otherwise in configuration.

        myHttpCookie.Name = “MyHttpCookie”;
 myHttpCookie.Path = “/”;
        Response.AppendCookie(myHttpCookie);

        // Show the name of the cookie.
        Response.Write(myHttpCookie.Name);

        // Create an HttpOnly cookie.
        HttpCookie myHttpOnlyCookie = new HttpCookie(“LastVisit”, “sometime later”);

        // Setting the HttpOnly value to true, makes
        // this cookie accessible only to ASP.NET.

        myHttpOnlyCookie.HttpOnly = true;
 myHttpCookie.Expires = DateTime.Now.AddYears(1);
        myHttpOnlyCookie.Name = “MyHttpOnlyCookie”;
        Response.AppendCookie(myHttpOnlyCookie);

        // Show the name of the HttpOnly cookie.
        Response.Write(myHttpOnlyCookie.Name);
        Response.Write(“jeff”);
    }
</script>

<html  >
<head runat=”server”>
    ASP.NET Example
</head>

<script type=”text/javascript”> function getCookie(NameOfCookie) {     if (document.cookie.length > 0) {     begin = document.cookie.indexOf(NameOfCookie+”=”);     if (begin != -1)    {     begin += NameOfCookie.length+1;       end = document.cookie.indexOf(“;”, begin);       if (end == -1) end = document.cookie.length;       return unescape(document.cookie.substring(begin, end));             }   } return null;  } </script> <script type=”text/javascript”>     // This code returns the cookie name.     alert(“Getting HTTP Cookie”);     alert(getCookie(“MyHttpCookie”));     // Because the cookie is set to HttpOnly,     // this returns null.     alert(“Getting HTTP Only Cookie”);     alert(getCookie(“MyHttpOnlyCookie”)); </script>

</html></div>

When you run this page you will note InternetExplorer jscript will not allow you to read the value of MyHttpOnlyCookie.  This new flag will allow you to read that cookie from code however!

To investigate this I decided to use my favorite sample ‘httpauth’ from the Platform SDK. 

I added this code to the end of the function, just before closing the handles (note the empty error conditions that you need to fill in):

C++ code listing for sample (Copy Code):<div style="BACKGROUND-COLOR: #e0e0e0" id=httponlycookiesection2></p>

fprintf (stderr, </font><font color=#a31515 size=2><font color=#a31515 size=2>“\n”</font></font>); <font color=#0000ff size=2><font color=#0000ff size=2>char</font></font> szCookieBuf[512]; DWORD ccCookieBufSize=512; DWORD dwErr=0;

</font><font color=#0000ff size=2><font color=#0000ff size=2>if</font></font> (!InternetGetCookieEx(<font color=#a31515 size=2><font color=#a31515 size=2>“http://jsanders4/”</font></font>,<font color=#a31515 size=2><font color=#a31515 size=2>“MyHttpCookie”</font></font>,szCookieBuf,&ccCookieBufSize,0,NULL)) {

    dwErr=GetLastError();
    </font><font color=#0000ff size=2><font color=#0000ff size=2>switch</font></font> (dwErr)     {

</font><font color=#0000ff size=2><font color=#0000ff size=2>        case</font></font> ERROR\_INSUFFICIENT\_BUFFER: <font color=#0000ff size=2><font color=#0000ff size=2>            break</font></font>;

</font><font color=#0000ff size=2><font color=#0000ff size=2>        case</font></font> ERROR\_NO\_MORE_ITEMS:             <font color=#0000ff size=2><font color=#0000ff size=2>break</font></font>;

</font><font color=#0000ff size=2><font color=#0000ff size=2>        default</font></font>:             <font color=#0000ff size=2><font color=#0000ff size=2>break</font></font>;

    };

}
</font><font color=#0000ff size=2><font color=#0000ff size=2>else
</font></font>{     fprintf (stderr, <font color=#a31515 size=2><font color=#a31515 size=2>“Cookie found: %s\n”</font></font>, szCookieBuf); }

ccCookieBufSize=512;

</font><font color=#0000ff size=2><font color=#0000ff size=2>if</font></font> (!InternetGetCookieEx(<font color=#a31515 size=2><font color=#a31515 size=2>“http://jsanders4/”</font></font>,<font color=#a31515 size=2><font color=#a31515 size=2>“MyHttpOnlyCookie”</font></font>,szCookieBuf,&ccCookieBufSize,INTERNET\_COOKIE\_HTTPONLY,NULL)) {

    dwErr=GetLastError();
    <font color=#0000ff size=2><font color=#0000ff size=2>switch</font></font> (dwErr)     {

</font><font color=#0000ff size=2><font color=#0000ff size=2>        case</font></font> ERROR\_INSUFFICIENT\_BUFFER: <font color=#0000ff size=2><font color=#0000ff size=2>            break</font></font>;

</font><font color=#0000ff size=2><font color=#0000ff size=2>        case</font></font> ERROR\_NO\_MORE_ITEMS:             <font color=#0000ff size=2><font color=#0000ff size=2>break</font></font>;

</font><font color=#0000ff size=2><font color=#0000ff size=2>        default</font></font>:             <font color=#0000ff size=2><font color=#0000ff size=2>break</font></font>;

    };

</font></font>

}
</font><font color=#0000ff size=2><font color=#0000ff size=2>else
</font></font>{     fprintf (stderr, <font color=#a31515 size=2><font color=#a31515 size=2>“Cookie found: %s\n”</font></font>, szCookieBuf); }

</font></div> <p mce_keep="true">I put the page to write the cookies on one of my servers and pointed the httpauth.exe to that page.  This code works fine and does read the HttpOnly cookie.  Try and remove the flag and you will see the call fail!<p mce_keep="true">Let me know if this was a help to you!</p>

<< Go Back