Securing cookies in ASP.NET

Question

i know this question has been asked many times but i dont know why i m unable to sort out this issue

<system.web>
 <httpCookies httpOnlyCookies="true" requireSSL="false" domain=""/>
 <sessionState mode="InProc" customProvider="DefaultSessionProvider" timeout="20" cookieName="id">
</system.web>

but its not working as required

can someone help me how to get it fixed or what i m doing wrong .

i have tried to get it fixed in code in Global.asax on App

protected void Application_EndRequest()
        {
           foreach (string s in Response.Cookies.AllKeys)
            {
                if (s.ToLower() == "id")
                {
                    Response.Cookies[s].HttpOnly = true;                      
                }
            }
        }

Enviroment: ASP.NET MVC

Regards

Not enough info, plus it's been asked a lot of times. You should know with your rep to include what you've tried and *what exactly* doesn't work — Jeremy Thompson, Feb 23 '17 at 06:41
this looks plain simple and i have tried and read many articles and mostly recommend to do as i m doing but it didnt work . its not making httpcookie true dats y i posted the question — Salman, Feb 23 '17 at 07:02
"its not working as required" - what *is* required? How is it "not working"? Please extend your question with these details. — Hans Keﬆing, Feb 23 '17 at 09:06
i cant see HTTPONly true when response returned from server (in cookies) i have been using chrome — Salman, Feb 23 '17 at 10:08

score 3 · Answer 1 · edited May 23 '17 at 12:09

3

This will help you.

There are two ways, one httpCookies element in web.config allows you to turn on ReqiresSSL. The secure attribute instructs the browser to include the cookie only in requests that are sent over an SSL/TLS connection.

The httpOnlyCookies attribute politely asks the web browser to not share a cookie with scripts or Applets. For session cookies, this attribute should always be true. As with the secure attribute, httpOnly can only be seen when a cookie is set in a response.

https://stackoverflow.com/a/6190050/1891919

https://www.jardinesoftware.net/2015/10/13/securing-the-net-cookies/

edited May 23 '17 at 12:09

Community

1
1

answered Feb 23 '17 at 06:56

Rahul Murari

439
1
5
16

How would you handle this so that it would NOT set the flag while locally developing, but only while on the live environment? – Robert Benedetto Oct 22 '17 at 07:16
1

@RobertBenedetto web.config transforms for each environment. – Jaywaa Apr 25 '18 at 17:34

Securing cookies in ASP.NET

1 Answers1