Secure Flag for ASPXAUTH Cookie

Question

We have an externally facing application which was penetration-tested by an external security company. Application has been developed on ASP.NET MVC4 and running on IIS8/Windows 2012 Server.

One of the vulnerabilities reported was ASPXAUTH is not secure. When I checked on the cookie inspector, there are some cookies with Secure flag. But ASPXAUTH was not one of them.

I did a bit of research, and set these flags below on the web.config

<forms loginUrl="~/Account/Login" timeout="2880"  requireSSL=""  name="AppName" />

and

<httpCookies httpOnlyCookies="true" requireSSL="true" />

Despite these settings, the authentication cookie is not marked as secure. I assumed that thse flags should be enough to mark application cookies as secure, but there are a few other cookies which are also not marked as secure. I am not too concerned about them as they don't contain any sensitive information. But I would like to flag ASPXAUTH as secure.

My questions are,

With these flags set on the web.config, is having ASPXAUTH without secure flag a security issue?
If so, could you tell me what the correct way is to mark it as secure.

thanks.

AnarchistGeek · Accepted Answer · 2018-01-19T10:57:15.983

17

I found this piece of code to which made my authentication cookie secure. I cant remember the source of this but if you add it to your global.asax, it sorts the issue. I do not know why but requireSSL=true in your tag was not enough to make it secure.

  protected void Application_EndRequest(Object sender, EventArgs e)
    {
        string authCookie = FormsAuthentication.FormsCookieName;

        foreach (string sCookie in Request.Cookies)
        {
            if (sCookie.Equals(authCookie))
            {
                // Set the cookie to be secure. Browsers will send the cookie
                // only to pages requested with https
                var httpCookie = Response.Cookies[sCookie];
                if (httpCookie != null) httpCookie.Secure = true;
            }
        }
    }

edited Jan 19 '18 at 10:57

answered Jan 17 '14 at 16:10

AnarchistGeek

3,049
6
32
47

2

@AnarchistGreek, didn't work against IBM's AppScan. It still claims the cookie isn't secure. – Roy Oliver Mar 15 '17 at 17:54
1

I see, your code needs to be edited. The foreach statement should be accessing Request.Cookies instead of Response.Cookies. – Roy Oliver Mar 16 '17 at 11:13

score 12 · Answer 2 · edited May 13 '19 at 18:31

Your issue looks to be that because your form is incorrectly configured. You have:

<forms ... requireSSL="" ... />

and you should have

<forms ... requireSSL="true" ... />

According to Microsoft the requireSSL attribute in the httpCookies tag is overridden by the requireSSL attribute of the forms tag. You didn't set the value, but you specified it may cause IIS to use the default of false. You should set it to true.

score 0 · Answer 3 · edited Aug 07 '23 at 04:41

0

Answer for your secong question

Possible duplicate of How to secure .ASPXAUTH token

as per answer by xelco

To prevent forms authentication cookies from being captured and tampered with while crossing the network, ensure that you use SSL with all pages that require authenticated access and restrict forms authentication tickets to SSL channels by setting requireSSL="true" on the <forms> element. To restrict forms authentication cookies to SSL channels set requireSSL="true" on the <forms> element, as shown in the following code:
<forms loginUrl="Secure\Login.aspx" requireSSL="true" ... />
By setting requireSSL="true", you set the secure cookie property that determines whether browsers should send the cookie back to the server. With the secure property set, the cookie is sent by the browser only to a secure page that is requested using an HTTPS URL.

edited Aug 07 '23 at 04:41

Majid Basirati

2,665
3
24
46

answered Jan 15 '14 at 09:04

Nilesh Gajare

6,302
3
42
73

Thanks. I have read that answer and that is what I did as I stated in the question. I did exactly what is described, but ASPXAUTH token cookie is not still marked as secure. – AnarchistGeek Jan 15 '14 at 09:13
I hate to repeat the obvious, but requireSSL is how you set the secure cookie flag. https://www.owasp.org/index.php/SecureFlag. One thing to check is the hierarchy of the config files. It may be set at the top web.config, but overwritten in the sub-directory. You can also check in code. http://msdn.microsoft.com/en-us/library/system.web.httpcookie.secure%28v=vs.110%29.aspx – 0leg Jan 15 '14 at 15:28

score 0 · Answer 4 · answered Mar 27 '20 at 15:00

An alteration to AnarchistGeek's answer: you don't want to iterate over Request.Cookies directly because adding a cookie by using the response collection makes the cookie immediately available in the request collection (see the note in the HttpRequest.Cookies docs here). That will leave you with a "Collection was modified after the enumerator was instantiated" error when you go to set/alter the response .ASPXAUTH cookie, because it is also modifying the request collection.

protected void Application_EndRequest(Object sender, EventArgs e)
{
    string authCookie = FormsAuthentication.FormsCookieName;
    string[] cookieNames = Request.Cookies.AllKeys;

    foreach (string sCookie in cookieNames)
    {
        if (sCookie.Equals(authCookie))
        {
            var httpCookie = Response.Cookies[sCookie];
            if (httpCookie != null) httpCookie.Secure = true;
        }
    }
}

Note that this particular solution will clear the existing value of the .ASPXAUTH cookie (see this post)

Secure Flag for ASPXAUTH Cookie

4 Answers4

Linked