Reputation: 1286
Securing cookies in ASP.NET
i know this question has been asked many times but i dont know why i m unable to sort out this issue
<system.web>
<httpCookies httpOnlyCookies="true" requireSSL="false" domain=""/>
<sessionState mode="InProc" customProvider="DefaultSessionProvider" timeout="20" cookieName="id">
</system.web>
but its not working as required
can someone help me how to get it fixed or what i m doing wrong .
i have tried to get it fixed in code in Global.asax on App
protected void Application_EndRequest()
{
foreach (string s in Response.Cookies.AllKeys)
{
if (s.ToLower() == "id")
{
Response.Cookies[s].HttpOnly = true;
}
}
}
Enviroment: ASP.NET MVC
Regards
Upvotes: 2
Views: 16719
Answers (1)
Reputation: 449
This will help you.
There are two ways, one httpCookies element in web.config allows you to turn on ReqiresSSL. The secure attribute instructs the browser to include the cookie only in requests that are sent over an SSL/TLS connection.
The httpOnlyCookies attribute politely asks the web browser to not share a cookie with scripts or Applets. For session cookies, this attribute should always be true. As with the secure attribute, httpOnly can only be seen when a cookie is set in a response.
https://stackoverflow.com/a/6190050/1891919
https://www.jardinesoftware.net/2015/10/13/securing-the-net-cookies/
Upvotes: 3
Related Questions
- Create Cookie ASP.NET & MVC
- Using cookie in asp.net mvc c#
- Make ASP.NET cookie secure
- Securing Cookies for Default MVC 5 Application
- Secure Authentication cookie Asp.Net
- Cookie management in ASP.NET MVC
- Protecting Cookies in ASP.NET and SSL
- Controlling access to pages by cookies
- ASP.NET MVC authentication cookie
- Authentication Cookie