Partilhar via


Understanding the New WinInet flag: INTERNET_COOKIE_HTTPONLY

There are a couple of new Cookie flags introduced with the Internet Explorer 8 WinInet.dll.  The INTERNET_COOKIE_HTTPONLY flag allows you to read the HttpOnly cookies in your WinInet Code.  This flag is documented here: https://msdn.microsoft.com/en-us/library/aa384714(VS.85).aspx.  As always, I like to see examples of how this flag works!

Here is a sample ASPX page to create some standard and httponly cookies:

aspx code listing for sample (Copy Code):

<%@ Page Language="C#" %>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<script runat="server">
    void Page_Load(object sender, EventArgs e)
    {
        // Create a new HttpCookie.
        HttpCookie myHttpCookie = new HttpCookie("LastVisit", "sometime");
 myHttpCookie.Expires = DateTime.Now.AddYears(1);

        // By default, the HttpOnly property is set to false
        // unless specified otherwise in configuration.

        myHttpCookie.Name = "MyHttpCookie";
 myHttpCookie.Path = "/";
        Response.AppendCookie(myHttpCookie);

        // Show the name of the cookie.
        Response.Write(myHttpCookie.Name);

        // Create an HttpOnly cookie.
        HttpCookie myHttpOnlyCookie = new HttpCookie("LastVisit", "sometime later");

        // Setting the HttpOnly value to true, makes
        // this cookie accessible only to ASP.NET.

        myHttpOnlyCookie.HttpOnly = true;
 myHttpCookie.Expires = DateTime.Now.AddYears(1);
        myHttpOnlyCookie.Name = "MyHttpOnlyCookie";
        Response.AppendCookie(myHttpOnlyCookie);

        // Show the name of the HttpOnly cookie.
        Response.Write(myHttpOnlyCookie.Name);
        Response.Write("jeff");
    }
</script>

<html  >
<head runat="server">
    <title>ASP.NET Example</title>
</head>
<body>
<script type="text/javascript">
function getCookie(NameOfCookie)
{
    if (document.cookie.length > 0)
{
    begin = document.cookie.indexOf(NameOfCookie+"=");
    if (begin != -1)
   {
    begin += NameOfCookie.length+1;
      end = document.cookie.indexOf(";", begin);
      if (end == -1) end = document.cookie.length;
      return unescape(document.cookie.substring(begin, end));      
      }
  }
return null; 
}
</script>

<script type="text/javascript">

    // This code returns the cookie name.
    alert("Getting HTTP Cookie");
    alert(getCookie("MyHttpCookie"));

    // Because the cookie is set to HttpOnly,
    // this returns null.
    alert("Getting HTTP Only Cookie");
    alert(getCookie("MyHttpOnlyCookie"));

</script>

</body>
</html>

When you run this page you will note InternetExplorer jscript will not allow you to read the value of MyHttpOnlyCookie.  This new flag will allow you to read that cookie from code however!

To investigate this I decided to use my favorite sample 'httpauth' from the Platform SDK. 

I added this code to the end of the function, just before closing the handles (note the empty error conditions that you need to fill in):

C++ code listing for sample (Copy Code):

fprintf (stderr,

"\n");
char szCookieBuf[512];
DWORD ccCookieBufSize=512;
DWORD dwErr=0;

if (!InternetGetCookieEx("https://jsanders4/","MyHttpCookie",szCookieBuf,&ccCookieBufSize,0,NULL))
{

dwErr=GetLastError();

switch (dwErr)
{

        case ERROR_INSUFFICIENT_BUFFER:
            break;

        case ERROR_NO_MORE_ITEMS:
            break;

        default:
            break;

};

}

else
{
fprintf (stderr, "Cookie found: %s\n", szCookieBuf);
}

ccCookieBufSize=512;

if (!InternetGetCookieEx("https://jsanders4/","MyHttpOnlyCookie",szCookieBuf,&ccCookieBufSize,INTERNET_COOKIE_HTTPONLY,NULL))
{

dwErr=GetLastError();
switch (dwErr)
{

        case ERROR_INSUFFICIENT_BUFFER:
            break;

        case ERROR_NO_MORE_ITEMS:
            break;

        default:
            break;

};

}

else
{
fprintf (stderr, "Cookie found: %s\n", szCookieBuf);
}

I put the page to write the cookies on one of my servers and pointed the httpauth.exe to that page.  This code works fine and does read the HttpOnly cookie.  Try and remove the flag and you will see the call fail!

Let me know if this was a help to you!