3

I have a site that has both HTTP and HTTPS pages.

I have tried the following to make cookies secure:

  • Web.config <httpCookies requireSSL="true" /> with form authentication.
  • Forcing cookie to secure at Application_End

In both case pages don't work with HTTP. I think above solution only works if all the pages use HTTPS.

How to resolved this puzzle?

Nikolai Samteladze
  • 7,699
  • 6
  • 44
  • 70
user1029468
  • 31
  • 1
  • 5

2 Answers2

9

The whole point of a cookie set as 'secure' is that it is only transmitted over https; the http pages will not receive a copy of it. From Wikipedia:

A secure cookie has the secure attribute enabled and is only used via HTTPS, ensuring that the cookie is always encrypted when transmitting from client to server. This makes the cookie less likely to be exposed to cookie theft via eavesdropping.

If you want to use a secure cookie, you need to ensure that all the pages use https.

Adrian Wragg
  • 7,311
  • 3
  • 26
  • 50
  • I have constrain - I can not move all website into https. Is there any way to fix this issue or alternative? – user1029468 Aug 02 '13 at 14:37
  • Unfortunately not; your http-served pages will not get the cookie whilst it is set as 'secure'. The only way is for the secure setting to be removed. – Adrian Wragg Aug 02 '13 at 14:44
  • You could, at a stretch, use a normal insecure cookie, encrypt the data inside it, and also encrypt some origin-related information in it (for example, which IP address requests should come from). But that's still vulnerable to interception - e.g. if an attacker manages to get on the same network - and the origin IP address could change causing further problems. Not to mention that it may well not pass any security audits. – Adrian Wragg Aug 02 '13 at 14:49
3

The Question: How to resolved this puzzle , requires an analysis of the requirements and see if it would be better to use https for whole website or a combination of http & https.

Since you are also asking for an alternative in one of your above comments, I hope the below info may help you decide on alternatives.

Background:

Basically you use http for all pages that have nothing to do with sensitive data, and https on the pages that have sensitive data. Many times we don't prefer to use https for whole website as the data that travels is more and it takes time to encrypt and decrypt them , thereby adding up to the actual time it takes to load/display a page.

However, there are arguments against above common notion and you can also find encouragement to use https for your whole website. Check this: How to implement HTTPS only on part of website?

And, YES, secure cookies can only be used on https pages.

Some suggestions

Community
  • 1
  • 1
R.C
  • 10,417
  • 2
  • 35
  • 48
  • How is any of this relevant to the question? Seriously? – Adrian Wragg Aug 02 '13 at 20:42
  • 2
    He can't use secure cookies on http page. In the end he asked that how to resolve this puzzle?. So It will be good to help him think and see what exactly is the requirement and that he may resolve this puzzle so that either he will use https as a whole or a combination rather than trying waste to access secure cookies on http page. – R.C Aug 03 '13 at 01:23
  • Also in one of above comments user mentioned that it's not possible for him to use https on whole website. And HE DID ASKED FOR ALTERNATIVES. so i just tried to give . – R.C Aug 03 '13 at 01:28
  • @Adrian: My sincere apologies Friend if I offended in any way. I just wanted to help the user get clarity on his alternative options available as he demanded the same. – R.C Aug 03 '13 at 01:38