It is important to secure the cookies that are used by the web application. While it is a bad idea to save sensitive information in a cookie anyway, sometimes it becomes almost essential to use cookies. There are three properties that can be set on HttpCookie objects which will make the cookie secured. We will discuss them:
-
fooCookie.HttpOnly = true; - Specifies whether a cookie is accessible by client-side script. By marking the Cookies with HttpOnly clientside scripts are unable to access them.
-
fooCookie.Secure = true; – Specifies whether to transmit the cookie using Secure Sockets Layer (SSL)–that is, over HTTPS only. Any area of a website or web application that contains sensitive information or access to privileged functionality requires that
all cookies are sent via SSL during a SSL session. If a cookie is marked secure, it will only be transmitted if the communications channel with the host is a secure one. This means that secure cookies will only be sent to HTTPS (HTTP over SSL) servers. If secure is not specified, a cookie may be captured by an attacker carrying out a man-in-the-middle attack, allowing session
hijacking to occur. - fooCookie.Path = Context.Request.ApplicationPath; – Sets the virtual path to transmit with the current cookie. It is a good practice to set the cookies path to application root.
This posting is provided “AS IS” with no warranties, and confers no rights.
October 16, 2008 at 4:06 am
hi Anubhav;
I am working on a situation , here we have a scenario where the channel between the client and Load balancer is https , while the channel between the Load balancer and sunOne webserver and Weblogic behind it is non- secure .
Is there a way to make the cookies secure . We have set the cookie-secure in weblogic config file , even then the cookies dont seem to be secure at the client end.
Your help will be greatly appreciated .
regards
shiraz