4

Let us say that I have deployed an ASP.NET website as SSL only. Does this mean that I don't have to worry about encrypting the cookies explicitly using the methods outlined in the following links in order to protect them?

How do I protect my site's session cookie?

How to secure the ASP.NET_SessionId cookie?

Encrypt cookies in ASP.NET

Or should I add this code in my web.config file?

<system.web>
  <httpCookies httpOnlyCookies="true" requireSSL="true" />
<system.web>

Note

I am not expliciltly creating cookies in my code. They are being generated as a result of creating Sessions.

Community
  • 1
  • 1
Matthew
  • 4,477
  • 21
  • 70
  • 93

2 Answers2

2

Does this mean that I don't have to worry about encrypting the cookies explicitly using the methods outlined in the following links in order to protect them?

That will greatly depend on what information you are storing in those cookies and whether you care about the user being able to manipulate it. For example FormsAuthentication cookies are always encrypted because they contain the currently authenticated username. If they weren't encrypted the user could simply forge a request and replace his username with for example admin. The fact that the cookie is sent over SSL is absolutely not an obstacle for him.

On the other hand if you are storing some user preferences such as background theme, you probably wouldn't care if the user forges a request in which he changes his background color from blue to red, right?

So to conclude: if you don't want the user to be able to modify the value of the cookie you should encrypt it, no matter whether it is sent over SSL or not.

SSL is used to protect from man-in-the-middle attacks in which the end user cookie value could be stolen by a man-in-the-middle.

Darin Dimitrov
  • 1,023,142
  • 271
  • 3,287
  • 2,928
1

You do not make custom cookies, so let see what cookies asp.net creates.

Its creates two main cookies, one for the session and one for the login credentials.

Now, from your part, you have to decide, what informations are critical and need to be secure.

If you have decide that all user informations are sensitive and need protection, then you make all your page ssl secure, and you add the requireSSL="true" on both the httpCookies and on authentication | forms

If you decide that only some pages are sensitive data, then this are the page that must logged in and this are the page that must be secure ssl, and then you use the requireSSL="true" only for the authentication | forms

<authentication mode="Forms">
  <forms requireSSL="true" ... />
</authentication>

Now one note, if you have set requireSSL="true" then the cookie is readed/acceced only on ssl secure pages. So all your site must be https:// only.

About ssl and cookies:
Preparing my ASP.NET / MVC site to use SSL?
Can some hacker steal the cookie from a user and login with that name on a web site?

Community
  • 1
  • 1
Aristos
  • 66,005
  • 16
  • 114
  • 150