I grabbed the FEDAUTH security cookie (using Fiddler) while browsing my asp.net 3.5 website using IE 7. Now I know that the FEDAUTH security cookie is marked with the “HTTPOnly” flag, which means you cannot access this cookie from code. All APIs on the stack honor this flag, so you cannot get the FEDAUTH token through code. But .NET includes the CookieContainer class, which contains a collection of cookies sent and received from a web request. So, all you have to do is just pass the CookieContainer along with the call.
My question is: can someone take this cookie and use it in an http request, e.g.
CookieContainer cc = new CookieContainer();
cc.SetCookies(new Uri(_uri), "FedAuth=77u/PD94bWwgdmVyhcmVwb2ludC5jb2addfdQ8UD4=; expires=Tue, 01-Jan-2010 02:37:12 GMT; path=/; HttpOnly");
source
share