Last post Oct 19, 2017 07:25 AM by Cathy Zou
Oct 18, 2017 12:38 PM|jwdocx|LINK
I'm trying to set all cookies to Secure and HTTPOnly, and in web.config > system.web I set this:
<httpCookies httpOnlyCookies="true" requireSSL="true" />
Next when I set the actual cookies on the login page, I'm doing this (and confirm while debugging they are set properly):
myCookie.HttpOnly = True
If Request.IsSecureConnection.Equals(True) Then
myCookie.Secure = True
But when I get to the destination page and print out the cookie info, I clearly shows that they are not set:
ASP.NET_SessionId = 50yahcmaeayyipj1vkubava0; Secure = False; HTTPOnly = False
SSOLoggedIn = True; Secure = False; HTTPOnly = False
Here is the login process if it makes any difference:
User logs in on login.aspx gets redirected to default.aspx which is a frameset, then the main window is loaded with a Splash page that shows a spinner while homepage.aspx loads. It's on homepage.aspx that the cookies are printed out in a debug output; just
checked and they are false on the splash page as well.
I confirmed that we are in HTTPS the whole time.
Having set this in code, I never would have expected them to not retain these settings, but this was picked up in our Web Application Scan for vulnerabilities.
Any assistance would be gratefully appreciated.
Oct 19, 2017 07:25 AM|Cathy Zou|LINK
As far as I know, if you have a <forms>
element in your system.web\authentication block, then this will override the setting in httpCookies, setting it back to the default false.
In that case, you need to add the requireSSL="true" attribute to the forms element as well.
So you will end up with:
/* forms content */