ASP.NET Securing Cookie on HTTP and HTTPS

Question

I have a site that has both HTTP and HTTPS pages.

I have tried the following to make cookies secure:

• Web.config <httpCookies requireSSL="true" /> with form authentication.
• Forcing cookie to secure at Application_End

In both case pages don't work with HTTP. I think above solution only works if all the pages use HTTPS.

How to resolved this puzzle?

Answer 1

The Question: How to resolved this puzzle , requires an analysis of the requirements and see if it would be better to use https for whole website or a combination of http & https.

Since you are also asking for an alternative in one of your above comments, I hope the below info may help you decide on alternatives.

Background:

Basically you use http for all pages that have nothing to do with sensitive data, and https on the pages that have sensitive data. Many times we don't prefer to use https for whole website as the data that travels is more and it takes time to encrypt and decrypt them , thereby adding up to the actual time it takes to load/display a page.

However, there are arguments against above common notion and you can also find encouragement to use https for your whole website. Check this: How to implement HTTPS only on part of website?

And, YES, secure cookies can only be used on https pages.

Some suggestions

• You should protect your sensitive data and this applies to Cookies too. If bad has to happen, check here how bad it can happen: Can some hacker steal the cookie from a user and login with that name on a web site?

• You may divide your User data to secure and non secure. For example, on Flipkart.com, We see that normally you can browse through the various items, do search , view details of every single item etc.., and all such pages are http only. The interesting part comes when you finally proceed with buying and all those pages are https. This link can help you get started on this concept: http://www.codeproject.com/Articles/5523/Switching-Between-HTTP-and-HTTPS-Automatically OR: Setting up SSL page only on login page

Answer 2

The whole point of a cookie set as 'secure' is that it is only transmitted over https; the http pages will not receive a copy of it. From Wikipedia:

A secure cookie has the secure attribute enabled and is only used via HTTPS, ensuring that the cookie is always encrypted when transmitting from client to server. This makes the cookie less likely to be exposed to cookie theft via eavesdropping.

If you want to use a secure cookie, you need to ensure that all the pages use https.