How to ensure that cookies are always sent via SSL when using ASP.NET on IIS 7.5?
Firesheep has brought the issue of insecure cookie exchanges to the forefront.
How can you ensure that all cookie exchanges are forced to occur only via an SSL-secured connection to the server when you're communicating to a web user?
Our scenario is that the web app is written in ASP.NET 4.0 and hosted on Windows Server 2008 R2 running IIS 7.5 if that narrows the scope some.
You can use app.config to force it; the format is (in the
<httpCookies domain="String" httpOnlyCookies="true|false" requireSSL="true|false" />
so you really want, at a minimum
Even if I do this, there are some cookies which do not have secure flag set.. Do you have any idea why?