Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Cookies received from Server is Secure But Cookies sent to Server is not secure ASP.NET

Tags:

security

asp.net

session-cookies

asp.net-session

In my ASP.NET Web application, i have made the below changes to make the ASP.NET_SessionID and .ASPXAUTH Cookies Secure by adding the below entries to web.config

<httpCookies httpOnlyCookies="true" requireSSL="true" />

and adding the below tag 

<forms requireSSL ="true" />

But my issue here is that, the Cookies received from Server(Network->Cookies->Direction Column has a value of received) has Secure and HttpOonly flag set to true. Found the information when i debug using IE 11 Developer tools, but the cookies data sent to Server(Network->Cookies->Direction Column has a value of Sent) does not have any Secure or HttpOnly flag set to true.

Is this the default behaviour? If so, why the data sent to server is not having the Secure and HttpOnly flag set? How to set it other than the above changes made to the config file.

like image 799
Rajesh Avatar asked Oct 18 '14 07:10

Rajesh

1 Answers

Cookie flags, like Secure and HttpOnly, are only sent from the server to the client. You won't ever see them in traffic going the other way. If you want to make sure that a cookie is Secure, have the browser make a request over HTTP (instead of HTTPS) and see if the cookie is still present (it shouldn't be). If you want to make sure a cookie is HttpOnly, open your site in the browser and then check the value of document.cookie using the JS console in the dev tools; you should see any non-httponly cookies you have but no httponly cookies.

Cookies are an inherently client-side thing. They are a way for a server to tell the client "every time you make a request to me, include this bit of info". The Secure flag modifies that to say "Every time you make a request to me over a secure connection, include this bit of info (but don't ever divulge it over insecure connections)". A conforming user agent - that is to say, a web browser - is supposed to obey those directives. However, there are no equivalent directives the other way; servers don't have to do anything at all with cookies the client sends them, and there is no "client sets a cookie on the server" equivalent of the way servers can set cookies on the client. Directives (including Secure, HttpOnly, Domain, Expires, etc.) are only used when setting a cookie.

like image 189
CBHacking Avatar answered Oct 11 '22 16:10

CBHacking
Sign in to Comment

Related questions

Is it possible to stop ObjectDataSource from auto-binding?
Under what circumstances will the ctl00 prefix render as something else ex. ctl01?
Dynamic ID in KnockoutJS code block
The GridView fired event RowEditing which wasn't handled
Using Global.asax to set/check session variable and redirect (for user testing)
Is there any benifit in using DataContract and DataMember attributes while working with Asp.net Web API?
Error handling when downloading file from ASP.NET Web Handler (.ashx)
To Increase Request Timeout only on particular Web Page
How asp.net Bundling works internally
ASP.NET long running task. Thread is being aborted exception
Is it possible to code action-filter attributes for asp.net web form application?
Rename AntiForgeryToken Hidden Input Name from __RequestVerificationToken
Accessing appSettings from multiple Web.config files
The element 'entityFramework' has invalid child element Entity Framework
ModelState.AddModelError to a particular ValidationMessageFor of a field?
change DefaultConnection in MVC Accounts Database
Html.TextBoxFor NullReferenceException using Razor syntax
SignalR client is reconnected after Owin restart, but message is not published
What is the difference between RequestInterceptor and MessageInspector?
Complex authentication with existing user database in MVC5

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!