Securing Cookies in Web Application

It is important to secure the cookies that are used by the web application. While it is a bad idea to save sensitive information in a cookie anyway, sometimes it becomes almost essential to use cookies. There are three properties that can be set on HttpCookie objects which will make the cookie secured.  We will discuss them: 

  1. fooCookie.HttpOnly = true; – Specifies whether a cookie is accessible by client-side script. By marking the Cookies with HttpOnly clientside scripts are unable to access them.
  2. fooCookie.Secure = true; – Specifies whether to transmit the cookie using Secure Sockets Layer (SSL)–that is, over HTTPS only. Any area of a website or web application that contains sensitive information or access to privileged functionality requires that
    all cookies are sent via SSL during a SSL session. If a cookie is marked secure, it will only be transmitted if the communications channel with the host is a secure one. This means that secure cookies will only be sent to HTTPS (HTTP over SSL) servers. If secure is not specified, a cookie may be captured by an attacker carrying out a man-in-the-middle attack, allowing session
    hijacking to occur.
  3. fooCookie.Path = Context.Request.ApplicationPath; – Sets the virtual path to transmit with the current cookie. It is a good practice to set the cookies path to application root.

This posting is provided “AS IS” with no warranties, and confers no rights.

Posted in .net, asp .net, web. Tags: . 1 Comment »