Last post Sep 25, 2013 02:10 AM by Shawn - MSFT
Sep 24, 2013 03:11 AM|Dnyaneshwar|LINK
I have enabled the secure flag for coockies by adding <httpCookies requireSSL="true" /> under system.web
So all the generated coockies must have secure flag
do i need to have more settings for ASP.NET_SessionId to make it secure flag.
Sep 24, 2013 03:22 AM|atulthummar|LINK
Here's a some post that will help to improve security.
Sep 24, 2013 03:56 AM|Dnyaneshwar|LINK
thanks for your reply.
can't we just enable the secure flag for ASP.NET_SessionId.
Sep 25, 2013 02:10 AM|Shawn - MSFT|LINK
A cookie can be set with the Secure flag, which makes it to be sent only over a secure channel, such as an SSL connections. This Secure flag will ensure that session cookies are sent only over secure channels to prevent them from being captured in transit.
If an application is using the default ASP.Net session ID (e.g. ASP.NET_SessionID) as the session token, the secure flag can be set using the following code.
Include the following statement in the Session_Start of the global.asax file:
protected void Session_Start(Object sender, EventArgs e)
// secure the ASP.NET Session ID only if using SSL
// if you don't check for the issecureconnection, it will not work.
if (Request.IsSecureConnection == true)
Response.Cookies ["ASP.NET_SessionID"].Secure = true;
For more information, you could refer to: