I wanted to understand the security threat caused by not setting httponly flag for ARRAffinity cookie which is sent by ARR. Do i need to set the httponly flag? If not why?
Does ARRAffinity cookie need HttpOnly flag
905 Views Asked by AudioBubble At
1
There are 1 best solutions below
Related Questions in AZURE-DEVOPS
- Pushing to git repository hosted by Visual studio online without entering user name and password
- Generate folder structure of a changeset after checkin in VSO
- OpsHub Visual Studio Online Migration Utility Hangs on Creating Configuration
- Could not write destination file: Access to path 'd:\a\src\...\Web.config' is denied
- hosted build visual studio online
- VSTS Rest API Get WorkItems By Field Value
- xunit.runner.dnx on visual studio online no tests found
- OpsHub User Mapping Error
- Kick off mocha tests in Visual Studio Team Services Build
- Visual Studio Online - Build - There are agents that are capable of running the build, but they are not online
- on-premise TFS to VSO issues using OpsHub 1.2.0.000
- Git tag at the end of build on Visual Studio Online (Build vNext, hosted pool)
- Get Latest Version using command-line from VSO?
- Visual Studio Team Services workspace error
- How to cache credentials for VS online in posh-git?
Related Questions in AZURE-WEB-APP-SERVICE
- How To Update a Web Application In Azure and Keep The App Up the whole time
- How do I deploy a node.js app to azure if it contains private npm modules
- Redirecting subdomain to directory on Azure
- Expected Compatibility Issues with upcoming TLS/SSL Cipher Suite update on Azure WebApps?
- Azure Wordpress deny xmlrpc
- Deploy yeoman angular-fullstack project to Azure
- Change load-balanced server for Azure web site?
- Run MSBuild from powershell without specifying .Net version
- Access to my Azure web site without ftp
- Access Registry From WebJob/WebApp
- 403 Access denied for DELETE Request .Net Web Api Rest Service on Azure
- Azure web app - cookie cached on server
- Azure WebApps - cannot load ServiceRuntime after upgrade to Azure 2.6
- Azure publishsettings file Fails to Import Using Eclipse
- npm install -g fibers fails on Azure Web App
Related Questions in ARR
- ARR with SSL offloading: app needs to know it was SSL
- IIS Zero Downtime Update ARR / Reverse Proxy
- IIS 8.5 not working with ARR to route requests to Tomcat 8
- WCF through ARR: Disappearing cookie
- getting different answer for sizeof(arr) in different scenario?;
- IIS Reverse Proxy to node.js
- Schema folder for IIS resetting its state
- How to recognize if a request came from URL rewrite module
- URL ReWriting to a different server - rules are ignored and default website is answering requests
- Too many redirects error while browsing applications hosted behind IIS ARR load balancer
- Jquery Duplicate complete table, changing attributes
- application request routing client affinity with multiple arr servers
- ARR URL Rewrite Routing Through to Wrong URL
- IIS Application Request Routing Module 502.2
- Using IIS and ARR to reverse proxy returns "The server returned an invalid or unrecognized response"
Related Questions in COOKIE-HTTPONLY
- Jboss 5.1 HttpOnly cookies , unable to logIn to the system
- Missing HttpOnly Attribute for Session Identifier with HTTP protocol
- Add httpOnly flag to ss-id/ss-pid servicestack cookies
- Django SESSION_COOKIE_HTTPONLY set but the HttpOnly flag does not show up on cookies
- How does HttpOnly cookie protect against XSS/Injection attack if they are passed automatically with every request?
- How to get HttpOnly cookie
- Is there a way to rewrite a cookie name in nginx?
- Cant set cookies to secure flag in apache mod headers
- Storing jwt in httponly cookie requires both frontend and backend apps to be on the same domain (MERN)
- Flask OIDC is not detecting the access token when it is sent using a cookie, but it functions as expected when sent through the authorization header
- NextJS Sending HTTP-Only Cookie in Requests
- HTTP-only Cookie vs Store-based Auth With Nuxt 3 Route Middleware
- Avoid refresh token for authentication when using HttpOnly cookie
- Accessing HttpOnly cookies across multiple domain with URL redirection
- Cant set cookie when CORS request comes from iPhone. Works for windows and mac users
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
ARRAffinitycookie don't needHttpOnlyflag. I found below feedback which is raised in 2016. And Azure team gave response in 2017.Set ARRAffinity cookie with correct attributes - HTTPOnly & Secure
But now,
ARRAffinityhas set thehttponlyflag by default. We don't need to manually sethttponly.ARRAffinityandARRAffinitySameSiteare both used to tell Azure whichiis instanceshould be reached.Hope the following article can help you.
Securing the ARRAffinity Cookie
If we set like below code, in our browser, we can't get cookies which is security.