In one of my previous posts I discussed why we need to mark the cookies as secured. It becomes quite essential to mark the forms authentication cookie and the session cookie as Secured because they contain user sensitive information. A quick solution to mark the ASP.Net session cookie (by default asp.net_sessionid) and the Forms authentication cookie (by default .ASPXAUTH) is to write the following code in your EndRequest Event handler. This code can be added in an HttpModule or in your global.asax file.
// this code will mark the forms authentication cookie and the
// session cookie as Secure.
if (Response.Cookies.Count > 0)
{
foreach (string s in Response.Cookies.AllKeys)
{
if (s == FormsAuthentication.FormsCookieName || s.ToLower() == “asp.net_sessionid”)
{
Response.Cookies[s].Secure = true;
}
}
}
Forms Authentication cookie can also be marked secured by setting the requireSSL attribute in the tag in the web configuration file.
One key this to note is if the server has not been setup for SSL and this logic is used, a new session will be generated for each request. Be sure to use this code only when the HTTPS is used on web server.
This posting is provided “AS IS” with no warranties, and confers no rights.
April 28, 2008 at 11:45 pm
What is the relationship between the forms authentication cookie and the session id cookie? Does ASP.NET do any validation of one against the other one or are they completely independent?
October 18, 2008 at 10:46 pm
The ASP.NET authentication cookie and the session cookie are completely independent of one another. As a test I have setup an application using Forms Authentication – logged into it via two different browsers and then manually transfered the session cookie from one to the other – the result was two seperate browsers with different authentication tickets sharing a single session.
June 11, 2009 at 7:37 am
Hi,
For me doesn’t work on real live website with correct SSL.
If the visitor is from http and I try to mark as Secure ASP.NET session cookie before redirect only first time crach ASP.NET website on position where trying to redirect to https page, the problem appears only ones. How to solve that.
June 12, 2009 at 2:26 am
Hey Demon,
If the server has not been setup for SSL and you try to mark the cookie secure, a new session will be generated for each request. This will lead to a infinite loop and causing the site to crash. Be sure to use this code only when the HTTPS is used on web server. One way is to check if the referring url has https.
June 13, 2009 at 6:35 am
[...] original post here: How to mark Session Cookie Secure « Anubhav Goyal appears-only asp before-redirect https-page net only-first problem secure session-cookie [...]