How can I set the Secure flag on an ASP.NET Session Cookie, so that it will only be transmitted over HTTPS and never over plain HTTP?
How can I set the Secure flag on an ASP.NET Session Cookie?
Asked Answered
There are two ways, one httpCookies element in web.config allows you to turn on requireSSL which only transmit all cookies including session in SSL only and also inside forms authentication, but if you turn on SSL on httpcookies you must also turn it on inside forms configuration too.
Edit for clarity:
Put this in <system.web>
<httpCookies requireSSL="true" />
Note that this depends on your (server-level) configuration. I brought the Test Region down with the error "The application is configured to issue secure cookies. These cookies require the browser to issue the request over SSL (https protocol). However, the current request is not over SSL." This was because we have a reverse proxy in place and browsers connect to it via SSL but the reverse proxy to IIS server is over port 80, so the application didn't think it was secured. –
Voiced
@Bargitta We handled the Application_PreSendRequestHeaders event and if a certain application setting is true, we set all cookies to secure. This app setting is only set for our HTTPS external sites. –
Voiced
I see, so all your external site will use HTTPS, thanks. –
Waxy
I'd seen elsewhere that after IIS7 system.web had been replaced by system.webserver, so I tried putting this setting there. On IIS 8.5 this caused a config error though, but it all worked if I added a system.web section to the config file and put the setting in there. –
Rina
If the cookies are already created in browser, they won't have secured flag. After adding this line in your web.config, remove your cookies in browser and refresh your page, then the new once will get effected and have secure flag. –
Remainder
In the <system.web> element, add the following element:
<httpCookies requireSSL="true" />
However, if you have a <forms> element in your system.web\authentication block, then this will override the setting in httpCookies, setting it back to the default false.
In that case, you need to add the requireSSL="true" attribute to the forms element as well.
So you will end up with:
<system.web>
<authentication mode="Forms">
<forms requireSSL="true">
<!-- forms content -->
</forms>
</authentication>
</system.web>
You can avoid other web.config settings over-riding your <httpCookies requireSSL="true" /> setting by including the 'lockItem' attribute. Like so: <httpCookies requireSSL="true" lockItem="true" />. More info here dotnetnoob.com/2010/11/how-to-secure-aspnet-cookies.html –
Yapok
In addition, if there is a
roleManager element its attribute cookieRequireSSL="true" should also be set to true. Ref. msdn.microsoft.com/en-us/library/… –
Chick by adding the above changes in related files, session objects are not working in my application, they are becoming null. how can I rectify this problem then? –
Higher
Are you using HTTP or HTTPS for your app? The "secure" flag that we're setting here prevents cookies being sent over non-encrypted (i.e. HTTP) connections –
Augmentation
There are two ways, one httpCookies element in web.config allows you to turn on requireSSL which only transmit all cookies including session in SSL only and also inside forms authentication, but if you turn on SSL on httpcookies you must also turn it on inside forms configuration too.
Edit for clarity:
Put this in <system.web>
<httpCookies requireSSL="true" />
+1 To clarify, this is what you should add to the web.config to set the secure flag on the auth cookie to true
<httpCookies requireSSL="true" /> –
Cruces Note that this depends on your (server-level) configuration. I brought the Test Region down with the error "The application is configured to issue secure cookies. These cookies require the browser to issue the request over SSL (https protocol). However, the current request is not over SSL." This was because we have a reverse proxy in place and browsers connect to it via SSL but the reverse proxy to IIS server is over port 80, so the application didn't think it was secured. –
Voiced
@Bargitta We handled the Application_PreSendRequestHeaders event and if a certain application setting is true, we set all cookies to secure. This app setting is only set for our HTTPS external sites. –
Voiced
I see, so all your external site will use HTTPS, thanks. –
Waxy
I'd seen elsewhere that after IIS7 system.web had been replaced by system.webserver, so I tried putting this setting there. On IIS 8.5 this caused a config error though, but it all worked if I added a system.web section to the config file and put the setting in there. –
Rina
If the cookies are already created in browser, they won't have secured flag. After adding this line in your web.config, remove your cookies in browser and refresh your page, then the new once will get effected and have secure flag. –
Remainder
Things get messy quickly if you are talking about checked-in code in an enterprise environment. We've found that the best approach is to have the web.Release.config contain the following:
<system.web>
<compilation xdt:Transform="RemoveAttributes(debug)" />
<authentication>
<forms xdt:Transform="Replace" timeout="20" requireSSL="true" />
</authentication>
</system.web>
That way, developers are not affected (running in Debug), and only servers that get Release builds are requiring cookies to be SSL.
^^^This^^^ is the way. More information re: Web.Config transforms: go.microsoft.com/fwlink/?LinkId=125889 –
Chick
Building upon @Mark D's answer I would use web.config transforms to set all the various cookies to Secure. This includes setting anonymousIdentification cookieRequireSSL and httpCookies requireSSL.
To that end you'd setup your web.Release.config as:
<?xml version="1.0"?>
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
<system.web>
<httpCookies xdt:Transform="SetAttributes(httpOnlyCookies)" httpOnlyCookies="true" />
<httpCookies xdt:Transform="SetAttributes(requireSSL)" requireSSL="true" />
<anonymousIdentification xdt:Transform="SetAttributes(cookieRequireSSL)" cookieRequireSSL="true" />
</system.web>
</configuration>
If you're using Roles and Forms Authentication with the ASP.NET Membership Provider (I know, it's ancient) you'll also want to set the roleManager cookieRequireSSL and the forms requireSSL attributes as secure too. If so, your web.release.config might look like this (included above plus new tags for membership API):
<?xml version="1.0"?>
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
<system.web>
<httpCookies xdt:Transform="SetAttributes(httpOnlyCookies)" httpOnlyCookies="true" />
<httpCookies xdt:Transform="SetAttributes(requireSSL)" requireSSL="true" />
<anonymousIdentification xdt:Transform="SetAttributes(cookieRequireSSL)" cookieRequireSSL="true" />
<roleManager xdt:Transform="SetAttributes(cookieRequireSSL)" cookieRequireSSL="true" />
<authentication>
<forms xdt:Transform="SetAttributes(requireSSL)" requireSSL="true" />
</authentication>
</system.web>
</configuration>
Background on web.config transforms here: http://go.microsoft.com/fwlink/?LinkId=125889
Obviously this goes beyond the original question of the OP but if you don't set them all to secure you can expect that a security scanning tool will notice and you'll see red flags appear on the report. Ask me how I know. :)
secure - This attribute tells the browser to only send the cookie if the request is being sent over a secure channel such as HTTPS. This will help protect the cookie from being passed over unencrypted requests. If the application can be accessed over both HTTP and HTTPS, then there is the potential that the cookie can be sent in clear text.
© 2022 - 2024 — McMap. All rights reserved.
<httpCookies requireSSL="true" />– Cruces