Article ID: 933869 - View products that this article applies to.
You configure forms-based authentication for a published Web site in Microsoft Internet Security and Acceleration (ISA) Server 2006 or in Windows Essential Business Server 2008. However, after you do this, applications that use an embedded Web browser program to access the Web site cannot access the published content successfully. You experience this problem when you use applications that use the InternetGetCookie method to retrieve cookies.
Note If you cannot determine whether a program uses the InternetGetCookie method to retrieve cookies, contact Microsoft Customer Support Services or contact the program vendor. For a complete list of Microsoft Customer Support Services telephone numbers and information about support costs, visit the following Microsoft Web site:
This problem occurs because ISA Server 2006 or Windows Essential Business Server 2008 sets the HTTPOnly attribute in the Set-Cookie header of the client cookie. A cookie that has this attribute set is known as an HTTP-only cookie.
ISA Server 2006 forms-based authentication uses a client cookie to maintain the authentication context of a user. This cookie is set after the user is authenticated successfully. When the cookie is set, ISA Server 2006 sets the HTTPOnly attribute in the Set-Cookie header of the client cookie. The HTTPOnly attribute marks the cookie as non-scriptable. This helps avoid any cross-site scripting issues that may occur. For more information about cross-site scripting issues, visit the following Microsoft Web site:
http://msdn2.microsoft.com/en-us/library/ms533046.aspxAn HTTP-only cookie is restricted with regard to how it can be used or accessed. Applications that use the InternetGetCookie method to retrieve an HTTP-only cookie are unsuccessful. For more information about this behavior, visit the following Microsoft Web site:
http://msdn2.microsoft.com/en-us/library/aa384710.aspxWhen an application uses an embedded Web browser program that uses the InternetGetCookie method to retrieve cookies, the application cannot access the forms-based authentication cookie in ISA Server 2006 or in Windows Essential Business Server 2008. Therefore, the application cannot access the published Web content.
This problem is known to occur when you use the following applications:
A hotfix is available for computers that are running ISA Server 2006 or Windows Essential Business Server 2008. To resolve this problem, install the hotfix that is described in the following Microsoft Knowledge Base article:
(http://support.microsoft.com/kb/933718/ )Description of the Internet Security and Acceleration Server 2006 hotfix package that is dated March 21, 2007
After you enable the functionality that this hotfix provides, ISA Server 2006 or Windows Essential Business Server 2008 does not set the HTTPOnly attribute on client cookies for connections on a particular Web listener. This action may increase the probability that you experience a cross-site scripting issue.
Hotfix installation informationImportant These steps may increase your security risk. These steps may also make the computer or the network more vulnerable to attack by malicious users or by malicious software such as viruses. We recommend the process that this article describes to enable programs to operate as they are designed to or to implement specific program capabilities. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this process in your particular environment. If you decide to implement this process, take any appropriate additional steps to help protect the system. We recommend that you use this process only if you really require this process.
Microsoft provides programming examples for illustration only, without warranty either expressed or implied. This includes, but is not limited to, the implied warranties of merchantability or fitness for a particular purpose. This article assumes that you are familiar with the programming language that is being demonstrated and with the tools that are used to create and to debug procedures. Microsoft support engineers can help explain the functionality of a particular procedure. However, they will not modify these examples to provide added functionality or construct procedures to meet your specific requirements.
After you install the hotfix, you must run a script to configure ISA Server 2006 not to set the HTTPOnly attribute for a specified Web listener. To do this, follow these steps:
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.
Article ID: 933869 - Last Review: May 30, 2007 - Revision: 1.3