CODEWITHSUNDEEP
asp.netcookiessession-cookies
Andriy Khrystyanovich
Andriy Khrystyanovich

Reputation: 1452

asp.net secure cookies

I want to secure my cookies, i read about "HTTPOnly" and "Secure" cookie flags for the ASP.NET_SessionId cookie. I create new asp.net project in VS. And in fiddler in Inspectors -> raw i have:

Cookie: DXCurrentThemeMVC=Office2010Black; ASP.NET_SessionId=1gq0t1mi234xyljqnxrzbqfx

Then i modify web.config :

<system.web>
    <compilation debug="true" targetFramework="4.0" />

    <httpCookies httpOnlyCookies="true" requireSSL="true"/>

    <authentication mode="Forms">
      <forms loginUrl="~/Account/Login.aspx" timeout="2880" requireSSL="true" />
    </authentication>

But in fiddler the same data

 Cookie: DXCurrentThemeMVC=Office2010Black; ASP.NET_SessionId=1gq0t1mi234xyljqnxrzbqfx

I think when i add <httpCookies httpOnlyCookies="true" requireSSL="true"/> i cant see cookies in fiddler, or cookies will be encrypted. Is this correct result ? Or i have mistake somewhere?

EDIT

and why i dont see in fiddler 

Set-Cookie: ASP.NET_SessionId=ig2fac55; path=/; secure; HttpOnly

but only cookie without set-, and secure, and HttpOnly also in firebug i see the same results

EDIT2 It seems like i find my problem: i host app on iis and in firebug look for cookies, and i have cookies with secure and httpOnly Flags:

ASP.NET_SessionId=98sfd90sdf89sd0f80s8; path=/; secure; HttpOnly

Upvotes: 9

Views: 27405

Answers (2)

Ali.h
Ali.h

Reputation: 31

To Secure Cookies you can use IDataProtector to encrypt and decrypt your value

in your Class :

private IDataProtector dataProtector;

public HomeController(IDataProtectionProvider provider)
{
    //TODO:Set Your Private Key
    dataProtector = provider.CreateProtector("YourPrivateKey");
}

you can than use it in your methods :

public IActionResult SetNewCookie(string key,string value) {

        var cookieOptions = new CookieOptions();
        cookieOptions.Secure = true;
        cookieOptions.HttpOnly = true;

        HttpContext.Response.Cookies.Append(key,dataProtector.Protect(value),cookieOptions);
        return View(nameof(Index));
}

and at the end to decript the cookie value we can use :

dataProtector.Unprotect(value);

I'm Also using "CookieOptions" and setting secure and httpOnly true for more security (it will be harder to get the cookies when you're using third party software)

Upvotes: 1

Be.St.
Be.St.

Reputation: 4181

Take a look at the httpCookies Element session in MSDN.

httpOnlyCookies sets the HttpOnly flags in response header. See Protecting Your Cookies: HttpOnly article.

requireSSL force the cookie to be transferred through a secure channel, so it's not removed and is encrypted during the transport.

Upvotes: 13

Related Questions