We are developing a system (MVC3) where only /admin is over https and anonymous users allowed to perform tasks over http.
We have engaged a third party to perform security assessment on our site, One of their feedback was that "Secure flag is not set on .ASPXAUTH, Cookies will be transmitted in clear text", and recommended to include
<httpCookies requireSSL="true" />
in our web config.
Further research suggested that
<authentication mode="Forms">
<forms requireSSL="true">
also needs to be set along with this, since we use forms authentications
REF: How can I set the Secure flag on an ASP.NET Session Cookie?
Our issue is that, the system still uses .ASPXAUTH cookie for anonymous users (in order to auto fill values through forms wizard) which is over HTTP Therefore as soon as you apply above settings to the main web.config, HTTP post methods keeps throwing the user back to the home page. I would assume it is due to the connection not being HTTP
Could you please shed any light on the situation ? Is there any work around to tell the application allow .ASPXAUTH cookies to be sent over HTTP on client(anonymous) area of the system and when an admin user logs in send .ASPXAUTH cookies over HTTPS ?
I tried my best to explain the situation, but feel free to ask if you need further info.
