How can I set the Secure flag on an ASP NET Session Cookie

Question

How can I set the Secure flag on an ASP NET Session Cookie  so that it will only be transmitted over HTTPS and never over plain HTTP

User · Answer

secure - This attribute tells the browser to only send the cookie if the request is being sent over a secure channel such as HTTPS  This will help protect the cookie from being passed over unencrypted requests  If the application can be accessed over both HTTP and HTTPS  then there is the potential that the cookie can be sent in clear text

User · Answer

Things get messy quickly if you are talking about checked-in code in an enterprise environment   We ve found that the best approach is to have the web Release config contain the following    lt system web gt     lt compilation xdt Transform  RemoveAttributes debug     gt     lt authentication gt         lt forms xdt Transform  Replace  timeout  20  requireSSL  true    gt     lt  authentication gt   lt  system web gt    That way  developers are not affected  running in Debug   and only servers that get Release builds are requiring cookies to be SSL

User · Answer

Building upon  Mark D s answer I would use web config transforms to set all the various cookies to Secure  This includes setting anonymousIdentification cookieRequireSSL and  httpCookies requireSSL   To that end you d setup your web Release config as    lt  xml version  1 0   gt   lt configuration xmlns xdt  http   schemas microsoft com XML-Document-Transform  gt     lt system web gt       lt httpCookies xdt Transform  SetAttributes httpOnlyCookies   httpOnlyCookies  true    gt       lt httpCookies xdt Transform  SetAttributes requireSSL   requireSSL  true    gt       lt anonymousIdentification xdt Transform  SetAttributes cookieRequireSSL   cookieRequireSSL  true    gt      lt  system web gt   lt  configuration gt    If you re using Roles and Forms Authentication with the ASP NET Membership Provider  I know  it s ancient  you ll also want to set the roleManager cookieRequireSSL and the forms requireSSL attributes as secure too  If so  your web release config might look like this  included above plus new tags for membership API     lt  xml version  1 0   gt   lt configuration xmlns xdt  http   schemas microsoft com XML-Document-Transform  gt     lt system web gt       lt httpCookies xdt Transform  SetAttributes httpOnlyCookies   httpOnlyCookies  true    gt       lt httpCookies xdt Transform  SetAttributes requireSSL   requireSSL  true    gt       lt anonymousIdentification xdt Transform  SetAttributes cookieRequireSSL   cookieRequireSSL  true    gt        lt roleManager xdt Transform  SetAttributes cookieRequireSSL   cookieRequireSSL  true    gt       lt authentication gt           lt forms xdt Transform  SetAttributes requireSSL   requireSSL  true    gt       lt  authentication gt     lt  system web gt   lt  configuration gt    Background on web config transforms here  http   go microsoft com fwlink  LinkId 125889  Obviously this goes beyond the original question of the OP but if you don t set them all to secure you can expect that a security scanning tool will notice and you ll see red flags appear on the report  Ask me how I know

User · Answer

In the  lt system web gt  element  add the following element      lt httpCookies requireSSL  true    gt    However  if you have a  lt forms gt  element in your system web authentication block  then this will override the setting in httpCookies  setting it back to the default false   In that case  you need to add the requireSSL  true  attribute to the forms element as well   So you will end up with    lt system web gt       lt authentication mode  Forms  gt           lt forms requireSSL  true  gt               lt  -- forms content -- gt           lt  forms gt       lt  authentication gt   lt  system web gt    See here and here for MSDN documentation of these elements

User · Answer

There are two ways  one httpCookies element in web config allows you to turn on requireSSL which only transmit all cookies including session in SSL only and also inside forms authentication  but if you turn on SSL on httpcookies you must also turn it on inside forms configuration too   Edit for clarity  Put this in  lt system web gt    lt httpCookies requireSSL  true    gt

[asp.net-session] How can I set the Secure flag on an ASP.NET Session Cookie?

Examples related to asp.net-session

Examples related to ssl-security