Best IT Recipes

How to protect ASP.NET_SessionId cookie?

I set cookie.ASPXAUTH for https only, but I'm not sure how to do the same with ASP.NET_SessionId effectively.

The whole site uses HTTPS, so the cookie does not need to work with both http and https.

+57
c # session-cookies
May 12 '11 at 13:26
source share
6 answers

Here is a snippet of code taken from a blog article written by Anubhav Goal :

// this code will mark the forms authentication cookie and the // session cookie as Secure. if (Response.Cookies.Count > 0) { foreach (string s in Response.Cookies.AllKeys) { if (s == FormsAuthentication.FormsCookieName || "asp.net_sessionid".Equals(s, StringComparison.InvariantCultureIgnoreCase)) { Response.Cookies[s].Secure = true; } } }

Adding this to the EndRequest event handler in global.asax should do this for all page calls.

Note: editing has been suggested to add a break; statement break; into a successful "safe" appointment. I rejected this change, based on the fact that it will only force one cookie to be protected, and the second will be ignored. It is possible to add a counter or some other indicator to determine that both of them were protected, and break at this point.

+43
May 12 '11 at
source share

To add a suffix ; secure ; secure in the http header of Set-Cookie , I just used the <httpCookies> element in web.config:

 <system.web> <httpCookies httpOnlyCookies="true" requireSSL="true" /> </system.web>

IMHO is much more convenient than writing code, as in the article by Anubhav Goyal.

See: http://msdn.microsoft.com/en-us/library/ms228262(v=vs.100).aspx

+139
Jan 23 2018-12-12T00:
source share

Following Marcel's solution above to protect the forms authentication cookie, you must also update the authentication configuration element to use SSL

 <authentication mode="Forms"> <forms ... requireSSL="true" /> </authentication>

Another wise cookie authenticator won't be https

See: http://msdn.microsoft.com/en-us/library/vstudio/1d3t3c61(v=vs.100).aspx

+13
Sep 17 '13 at 16:23
source share

It has been found that setting a secure property in Session_Start is sufficient, as recommended by the MSDN blog, Session ID Protection: ASP / ASP.NET , with some additions.

  protected void Session_Start(Object sender, EventArgs e) { SessionStateSection sessionState = (SessionStateSection)ConfigurationManager.GetSection("system.web/sessionState"); string sidCookieName = sessionState.CookieName; if (Request.Cookies[sidCookieName] != null) { HttpCookie sidCookie = Response.Cookies[sidCookieName]; sidCookie.Value = Session.SessionID; sidCookie.HttpOnly = true; sidCookie.Secure = true; sidCookie.Path = "/"; } }
+8
Dec 12 '13 at
source share

Adding a @JoelEtherton solution to fix a discovered security vulnerability. This vulnerability occurs if users request HTTP and are redirected to HTTPS, but the session cookie is set to be secure on the first HTTP request. According to McAfee Secure, this is a security vulnerability.

This code will protect cookies only if the request uses HTTPS. Session cookie expires if not HTTPS.

  // this code will mark the forms authentication cookie and the // session cookie as Secure. if (Request.IsSecureConnection) { if (Response.Cookies.Count > 0) { foreach (string s in Response.Cookies.AllKeys) { if (s == FormsAuthentication.FormsCookieName || s.ToLower() == "asp.net_sessionid") { Response.Cookies[s].Secure = true; } } } } else { //if not secure, then don't set session cookie Response.Cookies["asp.net_sessionid"].Value = string.Empty; Response.Cookies["asp.net_sessionid"].Expires = new DateTime(2018, 01, 01); }
0
May 14 '18 at 13:38
source share

If the entire site uses HTTPS, your sessionId cookie is as secure as HTTPS encryption. This is because cookies are sent as HTTP headers, and when using SSL, HTTP headers are encrypted using SSL during transmission.

-3
May 12 '11 at 13:32
source share


More articles:


All Articles