2

I've been trying to figure out how to set the secure flag on all the server cookies for our website. We're running .NET 4.5. I tried adding <httpCookies requireSSL="true" /> to the web.config file. I tried adding <authentication><forms requireSSL="true" /></authentication>. I tried setting the secure flag in code. Nothing had any effect. Adding the following c# function to Global.asax.cs was supposed to work, but didn't:

    protected void Application_EndRequest()
    {
        string authCookie = FormsAuthentication.FormsCookieName;

        foreach (string sCookie in Response.Cookies)
        {
            if (sCookie.Equals(authCookie))
            {
                // Set the cookie to be secure. Browsers will send the cookie
                // only to pages requested with https
                var httpCookie = Response.Cookies[sCookie];
                if (httpCookie != null) httpCookie.Secure = true;
            }

    }

It finally started working after I got rid of the "if (sCookie.Equals(authCookie))..." statement. So this is the working version:

    protected void Application_EndRequest()
    {
        string authCookie = FormsAuthentication.FormsCookieName;

        foreach (string sCookie in Response.Cookies)
        {
            // Set the cookie to be secure. Browsers will send the cookie
            // only to pages requested with https
            var httpCookie = Response.Cookies[sCookie];
            if (httpCookie != null) httpCookie.Secure = true;
        }
    }

I have several questions. First, what is the logic behind putting this in the Application_EndRequest method? Second, why did I have to get rid of the sCookie.Equals(authCookie)) part? Finally, has anyone found a more elegant solution? Thanks.

Alexei Levenkov
  • 98,904
  • 14
  • 127
  • 179
Tim
  • 185
  • 1
  • 3
  • 15
  • Usually you specify the authentication's cookie properties when you generate the cookie which should occur immediately after authentication. This is the proper place to specify that a cookie is secure. Also you should also make authentication cookies http only, otherwise they can be accessed client side which is not something you want. – Igor Aug 26 '15 at 18:13
  • 1
    The cookies are already http only. That's not a problem. I tried using the following lines to generate a cookie and set its secure property at the same time, but it had no effect. The cookie was generated, but the secure property was not set: `var cookie = FormsAuthentication.GetAuthCookie(user.UserName, false); cookie.Secure = true; System.Web.HttpContext.Current.Response.Cookies.Add(cookie);` – Tim Aug 26 '15 at 22:13

1 Answers1

1

If you are executing the request over HTTP and not HTTPS then I do not think you can set Secure = true. Can you verify that you are running over a secure connection? You can do some google / bing searches on how to generate a local certificate if you are testing on your dev box. Also do not forget to encrypt your cookie so its not readable on the client side.

Here is some sample code.

var userName = "userName";
var expiration = DateTime.Now.AddHours(3);
var rememberMe = true;
var ticketValueAsString = generateAdditionalTicketInfo(); // get additional data to include in the ticket

var ticket = new FormsAuthenticationTicket(1, userName, DateTime.Now, expiration, rememberMe, ticketValueAsString);
var encryptedTicket = FormsAuthentication.Encrypt(ticket); // encrypt the ticket

var cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket)
    {
        HttpOnly = true,
        Secure = true,
    };

EDIT - Added link

Also take a look at this previous answer and how you can configure your web.config to ensure that cookies are always marked as secure.

Community
  • 1
  • 1
Igor
  • 60,821
  • 10
  • 100
  • 175
  • Thanks. I'll try that. – Tim Aug 27 '15 at 16:12
  • Strange. I tried your code and it didn't work. However, I tried adding to web.config and this time it worked. (I had tried it repeatedly before and could never get it to work.) Just to make things even more confusing, we are using forms authentication, but it doesn't seem to matter whether I add requireSSL="true" to that section or not. I'm going to add it anyway, just to be safe. Thanks for your help. – Tim Aug 30 '15 at 17:30