How to ensure that cookies are always sent via SSL when using ASP.NET on IIS 7.5?

  • Firesheep has brought the issue of insecure cookie exchanges to the forefront.

    How can you ensure that all cookie exchanges are forced to occur only via an SSL-secured connection to the server when you're communicating to a web user?

    Our scenario is that the web app is written in ASP.NET 4.0 and hosted on Windows Server 2008 R2 running IIS 7.5 if that narrows the scope some.

    You may need to set the cookie's domain property for your cookies, for example: Response.Cookies"your_cookie_name" to ensure your cookies can be read from both primary domain and all its sub domains.

  • blowdart

    blowdart Correct answer

    10 years ago

    You can use app.config to force it; the format is (in the <system.web> section)

    <httpCookies domain="String"
                 httpOnlyCookies="true|false" 
                 requireSSL="true|false" />
    

    so you really want, at a minimum

    <httpCookies requireSSL='true'/>
    

    But preferably you'll also turn httpOnlyCookies on, unless you're doing some really hooky javascript.

    Even if I do this, there are some cookies which do not have secure flag set.. Do you have any idea why?

    In my website, I do not have `app.config`. Can I add this to the `web.config` instead?

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM