CODEWITHSUNDEEP
c#asp.netcookies
Tim
Tim

Reputation: 303

Making server cookies secure

I've been trying to figure out how to set the secure flag on all the server cookies for our website. We're running .NET 4.5. I tried adding <httpCookies requireSSL="true" /> to the web.config file. I tried adding <authentication><forms requireSSL="true" /></authentication>. I tried setting the secure flag in code. Nothing had any effect. Adding the following c# function to Global.asax.cs was supposed to work, but didn't:

    protected void Application_EndRequest()
    {
        string authCookie = FormsAuthentication.FormsCookieName;

        foreach (string sCookie in Response.Cookies)
        {
            if (sCookie.Equals(authCookie))
            {
                // Set the cookie to be secure. Browsers will send the cookie
                // only to pages requested with https
                var httpCookie = Response.Cookies[sCookie];
                if (httpCookie != null) httpCookie.Secure = true;
            }

    }

It finally started working after I got rid of the "if (sCookie.Equals(authCookie))..." statement. So this is the working version:

    protected void Application_EndRequest()
    {
        string authCookie = FormsAuthentication.FormsCookieName;

        foreach (string sCookie in Response.Cookies)
        {
            // Set the cookie to be secure. Browsers will send the cookie
            // only to pages requested with https
            var httpCookie = Response.Cookies[sCookie];
            if (httpCookie != null) httpCookie.Secure = true;
        }
    }

I have several questions. First, what is the logic behind putting this in the Application_EndRequest method? Second, why did I have to get rid of the sCookie.Equals(authCookie)) part? Finally, has anyone found a more elegant solution? Thanks.

Upvotes: 2

Views: 3694

Answers (1)

Igor
Igor

Reputation: 62213

If you are executing the request over HTTP and not HTTPS then I do not think you can set Secure = true. Can you verify that you are running over a secure connection? You can do some google / bing searches on how to generate a local certificate if you are testing on your dev box. Also do not forget to encrypt your cookie so its not readable on the client side.

Here is some sample code.

var userName = "userName";
var expiration = DateTime.Now.AddHours(3);
var rememberMe = true;
var ticketValueAsString = generateAdditionalTicketInfo(); // get additional data to include in the ticket

var ticket = new FormsAuthenticationTicket(1, userName, DateTime.Now, expiration, rememberMe, ticketValueAsString);
var encryptedTicket = FormsAuthentication.Encrypt(ticket); // encrypt the ticket

var cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket)
    {
        HttpOnly = true,
        Secure = true,
    };

EDIT - Added link

Also take a look at this previous answer and how you can configure your web.config to ensure that cookies are always marked as secure.

Upvotes: 1

Related Questions