Securing your ASP.NET Cookies

You might find from Pen Tests on your ASP.NET web applications that a common failure point is security around cookies over HTTPS.

Even if you force your application to use HTTPS some cookies such as the ASP.NET_SessionId cookie can still be accessed using HTTP.

A simple fix for this is in your Web.onfig file.

  <httpCookies httpOnlyCookies="true" requireSSL="true" />

Source: How to secure the ASP.NET_SessionId cookie?


Published by

Alan Feekery

Developer, Gamer, Musician, Cyclist and big Motorsport fan... enjoys the odd cup of coffee :)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s