Reputation: 491
ASP.NET_SessionId Request Cookie Not Secure?
In the server response, I am adding the "secure" flag to all cookies by placing the following line within the web.config:
<system.web>
<httpCookies requireSSL="true" />
</system.web>
This seems to work since the ASP.NET_SessionId cookie shows the "secure" flag in the response:
However, when I perform an action on the page and check the Dev Tools again, I noticed that the very same cookie no longer has the "secure" flag in the client request:
I am using Internet Explorer 11 developer tools to view the Network.
Should the session cookie contain the "secure" flag in the client's request? If not, are there any security implications of having an "insecure" request cookie?
After spending some time looking into it, I did not find any code in my application that was altering the cookies or the "secure" flag on the cookies. Any information on the matter will be appreciated.
Upvotes: 2
Views: 516
Answers (0)
Related Questions
- How to send a header using a HTTP request through a cURL call?
- Set cookies for cross origin requests
- How do I set/unset a cookie with jQuery?
- How to Secure Cookie in MVC
- Secure flag not set to Cookies in .Net application
- After securing ASPXAUTH and ASP.NET_SessionId cookies, is this the correct behavior?
- Cookies received from Server is Secure But Cookies sent to Server is not secure ASP.NET
- Secure Cookie Issue: Cookies only secure sometimes