Menu
I have set the httpCookies requireSSL value to true in web.config and run the web app on my local machine without https running. All runs fine apart from when I try and read the Request.Cookie.
Its not there. I assume because I don't have SSL enabled it never created it but there was no warning that it failed. I only know when I try to read a cookie value.
Should it not warn you?
791
Sensitive data that is transmitted using HTTP is vulnerable to being read by a third party. By default, web forms and cookies are sent via HTTP, not HTTPS. This setting can be changed by setting the requireSSL attribute to "true" in Web.
The RequireSSL property enables or disables output of the secure cookie attribute as described in RFC 2109. When used by compliant browsers, the cookie will only be sent back over a connection using SSL/TLS. The default is false .
Mark cookies as Secure Cookies. Add( new HttpCookie("key", "value") { Secure = true, }); That's it!
No. What the setting does is that it sends the 'Secure' parameter when setting the cookie. After receiving a cookie with that parameter, the client should only send it back to the server when the connection used is secure.
That's is why the client is not sending back the cookie and you're not seeing it. Also, the server should not send set this type of cookie over an insecure connection.
See RFC-2109, section 4.2.2 for the explanation on how the 'Secure' attribute is used and interpreted.
132
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
