Menu
I would like to encrypt cookies in ASP.NET.
I have followed the method in this article, but it has the drawback that is uses reflection on an internal method. This has caused it to be flagged in a code review -- it is not future-proof as the internal implementation may change.
Is there a method with identical functionality which doesn't require using encryption on internal methods?
I am using .NET Framework 3.5 SP1 (Assume I cannot change framework versions)
441
If the cookie was sent in plain-text, then the user could just edit the values, exposing a glaring security hole in the application. The ASP.NET Core data-protection system is used for exactly this purpose. It encrypts and decrypts sensitive data such as the authentication cookie.
Encrypted CookiesServer-side encryption adds more protection because the client can't sniff the cookies. The cookie values the browser gets are meaningless without proper decryption. With encryption, the server becomes the sole source of truth for HTTP cookies.
Mark cookies as Secure If you are creating cookies manually, you can mark them secure in C# too: Response. Cookies. Add( new HttpCookie("key", "value") { Secure = true, });
Data sent over SSL (HTTPS) is fully encrypted, headers included (hence cookies), only the Host you are sending the request to is not encrypted. It also means that the GET request is encrypted (the rest of the URL).
You don't need to roll your own any more.
.Net 4.5 has MachineKey.Protect() and MachineKey.Unprotect().
System.Web.Security.MachineKey
.Net 4.0 has MachineKey.Encode() and MachineKey.Decode(). You should just set the MachineKeyProtection to 'All'. These are now obsolete though and you should use the newer ones if you have 4.5.
Note if you try and use these in something like a console app instead of ASP.Net it seems to generate a new key with every app restart. I only checked it quickly but in ILSpy it looks like it generates its own defaults if the appropriate app.setting are missing.
I haven't been able to find a non-ASP.Net equivalent.
196
Why not just use the encryption found in System.Security.Cryptography to encrypt and decrypt the cookie name and value when it's sensitive? You can write some utility functions to manage it pretty easily. Example utility functions:
private static void SetEncryptedCookie(string name, string value) { var encryptName = SomeEncryptionMethod(name); Response.Cookies[encryptName].Value = SomeEncryptionMethod(value); //set other cookie properties here, expiry &c. //Response.Cookies[encryptName].Expires = ... } private static string GetEncryptedCookie(string name) { //you'll want some checks/exception handling around this return SomeDecryptionMethod( Response.Cookies[SomeDecryptionMethod(name)].Value); } If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
