Hi Team, We have web vulnerability scanning tool that detect vulnerability. Tool found below issue. 150123 cookie doesnot contain httpOnly attribute we tried using below options : <httpCookies httpOnlyCookies="true" requireSSL="true" /> in web.config <outboundRules> <clear /> <rule name="Add SameSite" preCondition="No SameSite"> <match serverVariable="RESPONSE_Set_Cookie" pattern=". " negate="false" /> <action type="Rewrite" value="{R:0}; secure; HttpOnly; SameSite=none" /> </rule> <rule name="Add Strict-Transport-Security only when using HTTPS" enabled="true"> <match serverVariable="RESPONSE_Strict_Transport_Security" pattern=". " /> <conditions> <add input="{HTTPS}" pattern="on" ignoreCase="true" /> </conditions> <action type="Rewrite" value="max-age=31536000; includeSubdomains; preload" /> </rule> <rule name="Remove Server header"> <match serverVariable="RESPONSE_Server" pattern=".+" /> <action type="Rewrite" value="" /> </rule> <preConditions> <preCondition name="No SameSite"> <add input="{RESPONSE_Set_Cookie}" pattern="." /> <add input="{RESPONSE_Set_Cookie}" pattern="; secure; HttpOnly; SameSite=none" negate="true" /> </preCondition> </preConditions> </outboundRules> still our site cookie is not showing httpOnly attribute. Thanks in advance.

We apologize you are encountering this issue. Most HttpOnly cookie issues happen with the App Gateway. Since there might be multiple items at play here, we feel it would be best if you are given a free support ticket. Please reach out to us at azcommunity@microsoft.com with your Azure subscription ID so we can work with you further. We look forward to your reply.

Cookie setting httpOnly for WebApp

FANINDRA BHORTAKKE 6

Hi Team,

We have web vulnerability scanning tool that detect vulnerability. Tool found below issue.

150123 cookie doesnot contain httpOnly attribute

we tried using below options :

<httpCookies httpOnlyCookies="true" requireSSL="true" /> in web.config
1. <outboundRules>
  <clear />
  <rule name="Add SameSite" preCondition="No SameSite">
  <match serverVariable="RESPONSE_Set_Cookie" pattern="." negate="false" />
  <action type="Rewrite" value="{R:0}; secure; HttpOnly; SameSite=none" />
  </rule>
  <rule name="Add Strict-Transport-Security only when using HTTPS" enabled="true">
  <match serverVariable="RESPONSE_Strict_Transport_Security" pattern="." />
  <conditions>
  <add input="{HTTPS}" pattern="on" ignoreCase="true" />
  </conditions>
  <action type="Rewrite" value="max-age=31536000; includeSubdomains; preload" />
  </rule>
  <rule name="Remove Server header">
  <match serverVariable="RESPONSE_Server" pattern=".+" />
  <action type="Rewrite" value="" />
  </rule>
  <preConditions>
  <preCondition name="No SameSite">
  <add input="{RESPONSE_Set_Cookie}" pattern="." />
  <add input="{RESPONSE_Set_Cookie}" pattern="; secure; HttpOnly; SameSite=none" negate="true" />
  </preCondition>
  </preConditions>
  </outboundRules>

still our site cookie is not showing httpOnly attribute.

Thanks in advance.

65952481 0 Reputation points

2024-05-24T13:31:53.58+00:00

I scaned my web app by openvas and found Cookie Missing "HttpOnly" issue

1 answer

brtrach-MSFT 16,121 Reputation points Microsoft Employee

2020-07-24T21:06:43.163+00:00

We apologize you are encountering this issue. Most HttpOnly cookie issues happen with the App Gateway. Since there might be multiple items at play here, we feel it would be best if you are given a free support ticket. Please reach out to us at azcommunity@microsoft.com with your Azure subscription ID so we can work with you further.

We look forward to your reply.
Please sign in to rate this answer.
Suhail Sayed 2 Reputation points

2021-07-08T12:07:33.627+00:00

Even we are facing the same issue here, any resolution for it
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Cookie setting httpOnly for WebApp

1 answer

Your answer