Last post May 28, 2018 01:02 PM by PatriceSc
May 28, 2018 12:48 PM|devd9091|LINK
I want to learn .Net Core so I am using .Net framework 1.0.0 RC1 Update2 using Visual Studio 2015, for my sample project. In that I have created my own cookie for session management, but by .Net framework
1.0.0 RC1 Update2, .AspNet.Session cookie is generated automatically. But I have found in top 10 OWASP that cookies need to be secure. According to this I have made my own generated cookie as secure, but I am not able to do for .AspNet.Session cookie
I have below two questions in my mind...
Q.1) If I have not make .AspNet.Session cookie as secure will that create threat hole in application?, because I have not used this cookie for session management in my sample project.
Q.2) If yes, How to make .AspNet.Session cookie as secure in .Net framework 1.0.0 RC1 Update2?
Looking for your help.
Thanks in advance.
May 28, 2018 01:02 PM|PatriceSc|LINK
Humm I would suggest to start with VS 2017 Community and .NET Core 2.x rather than with an old release candidate version.
ASP.NET Core should have support for doing that for all cookies. The main feature I see are :
- you can tell a browser that a cookie should be sent back only on a https connection (which prevent someone to read cookie values by loooking at clear text network traffic)
See for example
https://blog.mariusschulz.com/2016/07/19/securing-authentication-cookies-in-asp-net-core. Using F12 network should allow to inspect the response and to see if the correct flags are set.