How to mark Session Cookie Secure

In one of my previous posts I discussed why we need to mark the cookies as secured. It becomes quite essential to mark the forms authentication cookie and the session cookie as Secured because they contain user sensitive information. A quick solution to mark the ASP.Net session cookie (by default asp.net_sessionid) and the Forms authentication cookie (by default .ASPXAUTH) is to write the following code in your EndRequest Event handler. This code can be added in an HttpModule or in your global.asax file.

// this code will mark the forms authentication cookie and the
// session cookie as Secure.
if (Response.Cookies.Count > 0)
{
    foreach (string s in Response.Cookies.AllKeys)
    {
        if (s == FormsAuthentication.FormsCookieName || s.ToLower() == “asp.net_sessionid”)
        {
             Response.Cookies[s].Secure = true;
        }
    }
}

Forms Authentication cookie can also be marked secured by setting the requireSSL attribute in the tag in the web configuration file.

One key this to note is if the server has not been setup for SSL and this logic is used, a new session will be generated for each request. Be sure to use this code only when the HTTPS is used on web server.

This posting is provided “AS IS” with no warranties, and confers no rights.

About these ads

6 Responses to “How to mark Session Cookie Secure”

  1. Chris Says:

    What is the relationship between the forms authentication cookie and the session id cookie? Does ASP.NET do any validation of one against the other one or are they completely independent?

  2. Jeremy Long Says:

    The ASP.NET authentication cookie and the session cookie are completely independent of one another. As a test I have setup an application using Forms Authentication – logged into it via two different browsers and then manually transfered the session cookie from one to the other – the result was two seperate browsers with different authentication tickets sharing a single session.

  3. Demon Says:

    Hi,

    For me doesn’t work on real live website with correct SSL.
    If the visitor is from http and I try to mark as Secure ASP.NET session cookie before redirect only first time crach ASP.NET website on position where trying to redirect to https page, the problem appears only ones. How to solve that.

    • Anubhav Goyal Says:

      Hey Demon,
      If the server has not been setup for SSL and you try to mark the cookie secure, a new session will be generated for each request. This will lead to a infinite loop and causing the site to crash. Be sure to use this code only when the HTTPS is used on web server. One way is to check if the referring url has https.

  4. How to mark Session Cookie Secure « Anubhav Goyal | ASP.NET Security Watch Says:

    [...] original post here: How to mark Session Cookie Secure « Anubhav Goyal appears-only asp before-redirect https-page net only-first problem secure session-cookie [...]

  5. BParsi Says:

    Hi, I tried the above code and still secure is missing. Please see code below and let me know..

    HTTP/1.1 302 Found
    Set-Cookie: ASP.NET_SessionId=prxnlz45rnn20b55cdjfnr55; path=/; HttpOnly

    I think it should end with the secure word as “;secure” in the above code. Could you please let me know another option.

    Thank you,


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 37 other followers

%d bloggers like this: