All geek questions in one place

Cookie Protection in ASP.NET and SSL

Let's say that I used the ASP.NET website for SSL only. Does this mean that I donโ€™t have to worry about encrypting cookies explicitly using the methods described in the following links to protect them?

How to protect a website session cookie?

How to protect ASP.NET_SessionId cookie?

Encrypt Cookies in ASP.NET

Or should I add this code to my web.config file?

<system.web> <httpCookies httpOnlyCookies="true" requireSSL="true" /> <system.web>

Note

I am not trying to create a cookie in my code. They are created by creating sessions.

+4
source share
2 answers

Does this mean that I donโ€™t have to worry about encrypting cookies explicitly using the methods described in the following links to protect them?

This will greatly depend on what information you store in these cookies and whether you care about how the user can manipulate it. For example, FormsAuthentication cookies are always encrypted because they contain the name of the authenticated user. If they were not encrypted, the user can simply fake the request and replace his username, for example, admin . The fact that a cookie is sent via SSL is not an obstacle for him.

On the other hand, if you save some user preferences, such as a background theme, you probably don't care if the user fakes a request in which he changes his background color from blue to red, right?

So, to conclude: if you do not want the user to be able to change the value of the cookie, you must encrypt it, whether it is sent over SSL or not.

SSL is used to protect against man-in-the-middle attacks in which the end-user cookie value can be stolen by man-in-the-middle.

+2
source

You do not create custom cookies, so let's see what cookies are created by asp.net.

It creates two primary cookies , one for the session and one for the credentials .

Now, for your part, you must decide what information is critical and should be safe.

If you decide that all user information is sensitive and needs protection, then you will make your entire ssl page safe, and you will add requireSSL="true" both httpCookies and authentication | forms authentication | forms

If you decide that only some pages are sensitive, then this is the page that should be logged in, and this is the page that should be protected by ssl, and then you use requireSSL="true" for authentication | forms authentication | forms

 <authentication mode="Forms"> <forms requireSSL="true" ... /> </authentication>

Now one note, if you set requireSSL="true" , then the cookie is read / used only on secure ssl pages. Thus, your entire site should be https:// .

About ssl and cookies:
Preparing my ASP.NET/MVC site to use SSL?
Can a hacker steal a cookie from a user and log in with that name on a website?

+1
source

Source: https://habr.com/ru/post/1490111/

More articles:


All Articles