SyntaxFix

[c#] How to secure the ASP.NET_SessionId cookie?

I have set the .ASPXAUTH cookie to be https only but I am not sure how to effectively do the same with the ASP.NET_SessionId.

The entire site uses HTTPS so there is no need for the cookie to work with both http and https.

This question is related to c# asp.net session-cookies

The answer is

To add the ; secure suffix to the Set-Cookie http header I simply used the <httpCookies> element in the web.config:

<system.web>
  <httpCookies httpOnlyCookies="true" requireSSL="true" />
</system.web>

IMHO much more handy than writing code as in the article of Anubhav Goyal.

See: http://msdn.microsoft.com/en-us/library/ms228262(v=vs.100).aspx

Going with Marcel's solution above to secure Forms Authentication cookie you should also update "authentication" config element to use SSL

<authentication mode="Forms">
   <forms ...  requireSSL="true" />
</authentication>

Other wise authentication cookie will not be https

See: http://msdn.microsoft.com/en-us/library/vstudio/1d3t3c61(v=vs.100).aspx

Adding onto @JoelEtherton's solution to fix a newly found security vulnerability. This vulnerability happens if users request HTTP and are redirected to HTTPS, but the sessionid cookie is set as secure on the first request to HTTP. That is now a security vulnerability, according to McAfee Secure.

This code will only secure cookies if request is using HTTPS. It will expire the sessionid cookie, if not HTTPS. 

    // this code will mark the forms authentication cookie and the
    // session cookie as Secure.
    if (Request.IsSecureConnection)
    {
        if (Response.Cookies.Count > 0)
        {
            foreach (string s in Response.Cookies.AllKeys)
            {
                if (s == FormsAuthentication.FormsCookieName || s.ToLower() == "asp.net_sessionid")
                {
                    Response.Cookies[s].Secure = true;
                }
            }
        }
    }
    else
    {
        //if not secure, then don't set session cookie
        Response.Cookies["asp.net_sessionid"].Value = string.Empty;
        Response.Cookies["asp.net_sessionid"].Expires = new DateTime(2018, 01, 01);
    }

If the entire site uses HTTPS, your sessionId cookie is as secure as the HTTPS encryption at the very least. This is because cookies are sent as HTTP headers, and when using SSL, the HTTP headers are encrypted using the SSL when being transmitted.

Found that setting the secure property in Session_Start is sufficient, as recommended in MSDN blog "Securing Session ID: ASP/ASP.NET" with some augmentation.

    protected void Session_Start(Object sender, EventArgs e)
    {
        SessionStateSection sessionState = 
 (SessionStateSection)ConfigurationManager.GetSection("system.web/sessionState");
        string sidCookieName = sessionState.CookieName;

        if (Request.Cookies[sidCookieName] != null)
        {
            HttpCookie sidCookie = Response.Cookies[sidCookieName];
            sidCookie.Value = Session.SessionID;
            sidCookie.HttpOnly = true;
            sidCookie.Secure = true;
            sidCookie.Path = "/";
        }
    }

Source: Stackoverflow.com

Examples related to c#

How can I convert this one line of ActionScript to C#? Microsoft Advertising SDK doesn't deliverer ads How to use a global array in C#? How to correctly write async method? C# - insert values from file into two arrays Uploading into folder in FTP? Are these methods thread safe? dotnet ef not found in .NET Core 3 HTTP Error 500.30 - ANCM In-Process Start Failure Best way to "push" into C# array

Examples related to asp.net

RegisterStartupScript from code behind not working when Update Panel is used You must add a reference to assembly 'netstandard, Version=2.0.0.0 No authenticationScheme was specified, and there was no DefaultChallengeScheme found with default authentification and custom authorization How to use log4net in Asp.net core 2.0 Visual Studio 2017 error: Unable to start program, An operation is not legal in the current state How to create roles in ASP.NET Core and assign them to users? How to handle Uncaught (in promise) DOMException: The play() request was interrupted by a call to pause() ASP.NET Core Web API Authentication Could not load file or assembly 'CrystalDecisions.ReportAppServer.CommLayer, Version=13.0.2000.0 WebForms UnobtrusiveValidationMode requires a ScriptResourceMapping for jquery

Examples related to session-cookies

Invalidating JSON Web Tokens PHP session lost after redirect How to use cURL to send Cookies? Using Python Requests: Sessions, Cookies, and POST What is the difference between server side cookie and client side cookie? Check if cookies are enabled How to delete cookies on an ASP.NET website What is the difference between Sessions and Cookies in PHP? How to secure the ASP.NET_SessionId cookie?

Tags

Radix Datastore Subtraction Google-street-view Vendor-branch Episerver Ext.list Umodel Onncpaint Balloon Vc90 Partial-ordering Incanter Jquery-cycle Digital-compass Vspackage Numericstepper Mbf Caliburn.micro Shortest-path Synapse Unicode-escapes Submission Interstitial Require Commandfield Install-name-tool Powercommands Code-inspection Assemblyversionattribute Jmenuitem Timed Dunit Adb Gherkin Callblocking Intrusion-detection Fault-tolerance Lastaccesstime Line-by-line New-operator Decoder Visual-programming Underflow Getproperty Hpsa Facebook-fql Xml-database Erl-interface Windows-ribbon-framework Xsd2code Conditional-statements Decimal Union-all Syncback Pugixml Date-format Groupbox Progressive-enhancement Aggregators Photogrammetry Linker-scripts Containstable Canopen Ctp Variable-caching Rediska Financial Stored-functions Coclass Taction Xenocode Pyopenssl Xlc Dml Shift-reduce Xmlroot Callbyname In-function Rails-migrations Svnadmin System-procedures Recommendation-engine Sdl-opengl Galleryview Pyrex Memory-management Console Http-status-code-301 Throughput Liferay-6 Utorrent Html-help-workshop Irrlicht Cin Codecave Visual-sourcesafe-plugin Campfire Alsa Rshd