Securing your ASP.NET Cookies

You might find from Pen Tests on your ASP.NET web applications that a common failure point is security around cookies over HTTPS.

Even if you force your application to use HTTPS some cookies such as the ASP.NET_SessionId cookie can still be accessed using HTTP.

A simple fix for this is in your Web.onfig file.

<system.web>
  <httpCookies httpOnlyCookies="true" requireSSL="true" />
<system.web>

Source: How to secure the ASP.NET_SessionId cookie?

Advertisements

Published by

Alan Feekery

Developer, Gamer, Musician, Cyclist and big Motorsport fan... enjoys the odd cup of coffee :)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s