In my web.config (IIS6.1 asp.net 4.0):
<system.web>
<authentication mode="None"/>
<httpCookies httpOnlyCookies="true" requireSSL="true" />
</system.web>
Browsing to localhost/whatever using https works fine. All requests complete successfully. My problem is that the cookies I get don't have the 'secure' flag set. The HTTP flag is set.
How do I get the Secure flag? My implementation of IPrincipal?
Thanks.
Check to see whether the Forms Authentication web.config element also has requireSSL set to true, because that setting overrides the System.Web httpCookies element setting and defaults to false.
Setting this property sends the 'Secure' attribute from server<>client, indicating that the client may only transmit it back if a SSL connection is used.
In short, you can test this by running your ASP.NET application on SSL. A simple way of doing this is by selecting your web project in Visual Studio > Properties > set SSL Enabled to true.
Additionally, OWASP has a decent article about testing for cookies attributes. In the article, the fore mentioned secure attribute is described understandably:
Secure - This attribute tells the browser to only send the cookie if the request is being sent over a secure channel such as HTTPS. This will help protect the cookie from being passed over unencrypted requests. If the application can be accessed over both HTTP and HTTPS, then there is the potential that the cookie can be sent in clear text.
Found it - it was indeed the requireSSL attribute that caused this. However it was set elsewhere in the application (in an sso.config file - where it was set to false and overwrote whatever I put in web.config).