2

I have included below lines of code in my Web.Config and Global.asax.cs file. Still when I use developer tools in browser I could see secure flag not set to the below Cookies.

Also Configured SSLSettings in my IIS(Selected checkbox requireSSL).

I would like to set Secure attribute to all Cookies not only to received but also to Sent cookies. Any suggestion please.

In Web.config:

<httpCookies requireSSL="true"/>

In Global.asax.cs:

protected void Application_EndRequest(object sender, EventArgs e)
{
    if (Request.IsSecureConnection == true && HttpContext.Current.Request.Url.Scheme == "https")
    {
        Request.Cookies["ASP.NET_SessionID"].Secure = true;
        if (Request.Cookies.Count > 0)
        {
            foreach (string s in Request.Cookies.AllKeys)
            {
                Request.Cookies[s].Secure = true;
            }
        }

        Response.Cookies["ASP.NET_SessionID"].Secure = true;
        if (Response.Cookies.Count > 0)
        {
            foreach (string s in Response.Cookies.AllKeys)
            {
                Response.Cookies[s].Secure = true;
            }
        }
    }
}

In Browser:enter image description here

mybrave
  • 1,662
  • 3
  • 20
  • 37
Tech Learner
  • 1,227
  • 6
  • 24
  • 59

1 Answers1

0

There are two ways, one httpCookies element in web.config allows you to turn on requireSSL which only transmit all cookies including session in SSL only and also inside forms authentication, but if you turn on SSL on httpcookies you must also turn it on inside forms configuration too.

<form>
<httpCookies requireSSL="true" />
Tech Learner
  • 1,227
  • 6
  • 24
  • 59