|
| Secure cookie |
 |
Thu, 3 Apr 2008 16:28:13 +0000 |
Hello Everybody, We have intranet application developed in asp.net 1.1 and c#.
We have used we have used inproc session state and windows authentication . We
use one cookie("myCookie") at cliens machine to store user credentials
to remember his login credentials. Everthing is fine but my security team is
arguing that the secure attribute is missing from all the cookies used by
application. However we have added the following still they says the same.
Response.Cookies["myCookie"].Secure=true;
What else I need to take care to secure the cookie.? Is Inproc session state
creates any cookie at clients machine?
Any suggestions would be appeciated.
Regards,
Kiran
|
| Post Reply
|
| Re: Secure cookie |
 |
Thu, 3 Apr 2008 22:41:41 +0000 |
Using a secure cookie means that the cookie requires an SSL connection with the
site that generated it in order for it to be used. This should prevent phishing
sites from accessing data within the cookie for malicious purposes.
If you are using SSL with your site, which you must in order to use an SSL
cookie, then add the following line in your web.config, inside the
<system.web> tag:
<httpCookies httpOnlyCookies="false" requireSSL="true"
/>
This will make all of the cookies you create secure, and you will not be able
to access information stored in a cookie unless the SSL connection is present.
(Make sure you comment this line out if you need to test on your local machine
without SSL.) With this, there is no need to add
Response.Cookies["myCookie"].Secure=true; to your code.
|
| Post Reply
|
|
|
|
|
|
|
|
|
|