On this page

Ads

Navigation

Photo gallery
Home

Search

Categories

 
  .Net
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Clouds

Sql Server (5) .Net (16) .Net 2.0 (2) C# (3) @ff Topic (5) Architectural solutions (9) ASP (1) BDD (5) Blog related (8) database (2) Development process (8) Facebook (1) job interviews (1) Lessons (5) Life (12) Microsoft (5) IIS 6 (2) SPS (sharepoint server) (3) Drivers (1) Internet Explorer (2) Windows 2003 server (1) NightDuck (2) Performance (5) Security (9) Sql Server 2000 (4) Study (2) TDD (1) Threading (3) Under the hood (1) Web (1) Web services (1) XSS (6)

Archive

July, 2008 (1)
June, 2008 (4)
May, 2008 (1)
January, 2008 (1)
December, 2007 (1)
November, 2007 (3)
October, 2007 (4)
September, 2007 (2)
July, 2007 (6)
June, 2007 (3)
April, 2007 (2)
March, 2007 (4)
February, 2007 (6)
January, 2007 (4)
October, 2006 (6)
September, 2006 (5)
August, 2006 (10)

Blogroll

 Avi Wortzel
 Doron Yaacoby
 Nati Dobkin
 Oren Ellenbogen
 pasha bitz
 Shani raba
 Yossi shmuelly

Disclaimer
The opinions expressed herein are my own personal opinions and do not represent my employer's view in anyway.

RSS 2.0 | Atom 1.0 | CDF

Send mail to the author(s) E-mail

Total Posts: 63
This Year: 0
This Month: 0
This Week: 0
Comments: 33

Sign In
Pick a theme:

 Saturday, February 03, 2007
document.cookie - Different behavior in IE7
Saturday, February 03, 2007 6:23:50 PM (GMT Standard Time, UTC+00:00) ( Internet Explorer )

today i was hoping to finish my "Session hijacking prevention" presentation,
so, i thought that recording a live demo would be nice.

And then(by mistake....) i discovered that document.cookie will give you an empty string on the internet Explorer 7.
nevertheless it works fine on previous versions of explorer and firefox .

did microsoft restricted the access to cookies vie javascript in IE7 ?

Comments [4] | | # 
Tuesday, February 06, 2007 8:22:00 PM (GMT Standard Time, UTC+00:00)
Hi,
could you please post here the presentation
and the code samples.

Thanks.
Shani Raba
Tuesday, February 06, 2007 9:14:40 PM (GMT Standard Time, UTC+00:00)
Hi shani,
i will post it as soon as i finish covering the subject.

do you know maybe why the difference in the behavior ?
Shimon Krokhmal
Wednesday, February 07, 2007 3:07:25 PM (GMT Standard Time, UTC+00:00)
It's IE6 SP1 and up.
Also, the HttpOnly property of the cookie should be set to true.
Pasha Bitz
Wednesday, February 07, 2007 7:28:32 PM (GMT Standard Time, UTC+00:00)
Thanks Pasha.
thats solves the issue.

seems that microsoft created this "HttpOnly" property for cookies.
the reason for it was to try Mitigate Cross-site Scripting.
some info on this topic can be found here :

http://msdn.microsoft.com/library/default.asp?url=/workshop/author/dhtml/httponly_cookies.asp

but that certanly does not stop XSS, even with httpOnly cookies.
i'll update my presentation to include this info.
Shimon Krokhmal
Comments are closed.