Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

asp.net secure cookies

I want to secure my cookies, i read about "HTTPOnly" and "Secure" cookie flags for the ASP.NET_SessionId cookie. I create new asp.net project in VS. And in fiddler in Inspectors -> raw i have:

Cookie: DXCurrentThemeMVC=Office2010Black; ASP.NET_SessionId=1gq0t1mi234xyljqnxrzbqfx

Then i modify web.config :

<system.web>
    <compilation debug="true" targetFramework="4.0" />

    <httpCookies httpOnlyCookies="true" requireSSL="true"/>

    <authentication mode="Forms">
      <forms loginUrl="~/Account/Login.aspx" timeout="2880" requireSSL="true" />
    </authentication>

But in fiddler the same data

 Cookie: DXCurrentThemeMVC=Office2010Black; ASP.NET_SessionId=1gq0t1mi234xyljqnxrzbqfx

I think when i add <httpCookies httpOnlyCookies="true" requireSSL="true"/> i cant see cookies in fiddler, or cookies will be encrypted. Is this correct result ? Or i have mistake somewhere?

EDIT

and why i dont see in fiddler

Set-Cookie: ASP.NET_SessionId=ig2fac55; path=/; secure; HttpOnly

but only cookie without set-, and secure, and HttpOnly also in firebug i see the same results

EDIT2 It seems like i find my problem: i host app on iis and in firebug look for cookies, and i have cookies with secure and httpOnly Flags:

ASP.NET_SessionId=98sfd90sdf89sd0f80s8; path=/; secure; HttpOnly
like image 303
Andriy Khrystyanovich Avatar asked Feb 03 '23 09:02

Andriy Khrystyanovich


1 Answers

Take a look at the httpCookies Element session in MSDN.

httpOnlyCookies sets the HttpOnly flags in response header. See Protecting Your Cookies: HttpOnly article.

requireSSL force the cookie to be transferred through a secure channel, so it's not removed and is encrypted during the transport.

like image 146
Be.St. Avatar answered Feb 09 '23 03:02

Be.St.