how do I force secure ASP.NET session cookies?

ed.devlin_at_detica.com
Date: 11/25/03

  • Next message: Thor: "Re: are my binaries being exposed on my ASP.NET website?" 
    Date: 25 Nov 2003 11:03:25 -0000
To: focus-ms@securityfocus.com
    ('binary' encoding is not supported, stored as-is)

    I am running a pure SSL website using forms authentication with encrypted authentication cookies. I can tell ASP.NET to issue the authentication cookie with .Secure=true so that the browser only submits the cookie over an SSL connection.

    However, the server does respond to http requests as well, in order to redirect the browser to the SSL-enabled website.

    My problem is that the ASP.NET session cookie (not the auth cookie) is NOT being issued with .Secure=true. This means that if the user removes the https:// prefix from the URL while they are browsing, the browser will still submit the session cookie unencrypted.

    Does anyone know how I can forve ASP.NET to issue session cookies with .Secure=true, in the same way I can use the <forms requireSSL=true> element in machine.config to secure the auth cookie?

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: Thor: "Re: are my binaries being exposed on my ASP.NET website?"