Secure Owin Cookie http and https

Question

A penetration test was done on our website and we were told that the website does not have secure cookies. This is on both Http and Https.

I have tried tones of examples and still the cookies do not have the secure ticked. I don't know where I am going wrong.

Here is what i have tried in the web config:

Solution 1 
<httpCookies requireSSL="true"/>

Solution 2
<httpCookies httpOnlyCookies="true" requireSSL="true" />

Solution 3
<httpCookies requireSSL="true" lockItem="true"   />

Solution 4
    <authentication mode="Forms">
    <forms loginUrl="Layout_Simple.cshtml" cookieless="UseCookies"  requireSSL="true"   path="/Account/Login" />
    </authentication>

After trying each of these solution, the cookies was still not secure

I then tried code in the Global.asax.cs file. When running the website like this , the cookies was still not secure

 protected void Application_EndRequest(object sender, EventArgs e)
    {
       if (Response.Cookies.Count > 0)
       {
          foreach (string s in Response.Cookies.AllKeys)
         {
           if (s == FormsAuthentication.FormsCookieName || s.ToLower() == "_requestverificationtoken" || s.ToLower() == ".aspnet.applicationcookie") || s.ToLower() == "asp.net_sessionid"
           {
              Response.Cookies[s].Secure = true;                            Response.Cookies[FormsAuthentication.FormsCookieName].Secure = true;
             Response.Cookies["ASP.NET_SessionId"].Secure = true;
                    }
                }
            }
        }

I also tried adding the below line in the Startup.Auth.cs file but this caused the website not to login anymore.

 app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
         AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
         LoginPath = new Microsoft.Owin.PathString("/Account/Login"),
         CookieSecure = Microsoft.Owin.Security.Cookies.CookieSecureOption.Always

Answer 1

I was having the same issue with my ASP.Net Core 3.1 web API. It was failing the Checkmarx scan with violations "HttpOnlyCookies" and "InsecureCookie" (despite being an API with no cookies). I fixed it by adding this to ConfigureServices:

services.Configure<CookiePolicyOptions>(options =>
{
    options.HttpOnly = HttpOnlyPolicy.Always;
    options.Secure = CookieSecurePolicy.Always;
});