Tech Learner
Reputation: 1317
Secure flag for ASPXAUTH Cookie in MVC
We have an Application which is developed using ASP.NET MVC3. Penetration-test done by an IBM AppScan tool.
Issue has been reported and it was ASPXAUTH is not secure. When I checked on the browser's developer tools, there are some cookies with Secure flag. But ASPXAUTH was not one of them.
Already I have included below line of code in Web.Config file.
<httpCookies requireSSL="true"/>
Note : We are not using Forms Authentication for login. We are using Signle Sign-On Mechanism.
What is the correct way to mark ASPXAUTH as secure?
Upvotes: 2
Views: 1759
Answers (2)
Purendra Naik
Reputation: 11
This is not working for me, not using form authentication but using centralized login. Added below code:
foreach (string sCookie in httpCookies.AllKeys)
{
if (sCookie == FormsAuthentication.FormsCookieName || sCookie.ToLower() == "asp.net_sessionid")
{
httpCookies[sCookie].Secure = true;
}
}
Upvotes: 1
Tech Learner
Reputation: 1317
Add below code in Global.asax.cs file.
protected void Application_EndRequest(object sender, EventArgs e)
{
if (Response.Cookies.Count > 0)
{
foreach (string s in Response.Cookies.AllKeys)
{
Response.Cookies[s].Secure = true;
}
}
}
}
Upvotes: 2
Related Questions
- Secure Flag for ASPXAUTH Cookie
- How can I set the 'secure' flag for cookies in an ASP.NET MVC website?
- Securing cookies in ASP.NET
- Is it compulsory to add Secure Flag to a Cookie over HTTPS
- Secure Cookies in ASP.NET
- Securing Cookies for Default MVC 5 Application
- Secure Authentication cookie Asp.Net
- Create MVC 3 ASPXAUTH cookie from MVC 5.1 application - Single Sign on
- How do I set secure flag on cookie in asp.net web api
- ASP.NET MVC authentication cookie