I want to secure my cookies, i read about "HTTPOnly" and "Secure" cookie flags for the ASP.NET_SessionId cookie. I create new asp.net project in VS. And in fiddler in Inspectors -> raw i have:
Cookie: DXCurrentThemeMVC=Office2010Black; ASP.NET_SessionId=1gq0t1mi234xyljqnxrzbqfx
Then i modify web.config :
<system.web>
<compilation debug="true" targetFramework="4.0" />
<httpCookies httpOnlyCookies="true" requireSSL="true"/>
<authentication mode="Forms">
<forms loginUrl="~/Account/Login.aspx" timeout="2880" requireSSL="true" />
</authentication>
But in fiddler the same data
Cookie: DXCurrentThemeMVC=Office2010Black; ASP.NET_SessionId=1gq0t1mi234xyljqnxrzbqfx
I think when i add
<httpCookies httpOnlyCookies="true" requireSSL="true"/>
i cant see cookies in fiddler, or cookies will be encrypted. Is this correct result ? Or i have mistake somewhere?
EDIT
and why i dont see in fiddler
Set-Cookie: ASP.NET_SessionId=ig2fac55; path=/; secure; HttpOnly
but only cookie without set-, and secure, and HttpOnly also in firebug i see the same results
EDIT2 It seems like i find my problem: i host app on iis and in firebug look for cookies, and i have cookies with secure and httpOnly Flags:
ASP.NET_SessionId=98sfd90sdf89sd0f80s8; path=/; secure; HttpOnly
Take a look at the httpCookies Element session in MSDN.
httpOnlyCookies sets the HttpOnly flags in response header. See Protecting Your Cookies: HttpOnly article.
requireSSL force the cookie to be transferred through a secure channel, so it's not removed and is encrypted during the transport.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With