Re: how do I force secure ASP.NET session cookies?

From: Mark Burnett (mb_at_xato.net)
Date: 11/25/03

Next message: Dominick Baier: "RE: are my binaries being exposed on my ASP.NET website?"

Previous message: Thor: "Re: are my binaries being exposed on my ASP.NET website?"
In reply to: ed.devlin_at_detica.com: "how do I force secure ASP.NET session cookies?"
Next in thread: Mark Burnett: "RE: how do I force secure ASP.NET session cookies?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <ed.devlin@detica.com>, <focus-ms@securityfocus.com>
Date: Tue, 25 Nov 2003 10:03:55 -0700

Just access the ASP.NET session cookie directly and mark it as secure:
Request.Cookies("ASP.NET_SessionId").Secure=True

Mark

On 25 Nov 2003 11:03:25 -0000, ed.devlin@detica.com wrote:
>
>
> I am running a pure SSL website using forms authentication with
> encrypted authentication cookies. I can tell ASP.NET to issue the
> authentication cookie with .Secure=true so that the browser only
> submits the cookie over an SSL connection.
>
>
> However, the server does respond to http requests as well, in order
> to redirect the browser to the SSL-enabled website.
>
>
> My problem is that the ASP.NET session cookie (not the auth cookie)
> is NOT being issued with .Secure=true. This means that if the user
> removes the https:// prefix from the URL while they are browsing,
> the browser will still submit the session cookie unencrypted.
>
>
> Does anyone know how I can forve ASP.NET to issue session cookies
> with .Secure=true, in the same way I can use the <forms
> requireSSL=true> element in machine.config to secure the auth
> cookie?
>
>
> --------------------------------------------------------------------
> ------- ------------------------------------------------------------
> ---------------

---------------------------------------------------------------------------
---------------------------------------------------------------------------

Next message: Dominick Baier: "RE: are my binaries being exposed on my ASP.NET website?"

Previous message: Thor: "Re: are my binaries being exposed on my ASP.NET website?"
In reply to: ed.devlin_at_detica.com: "how do I force secure ASP.NET session cookies?"
Next in thread: Mark Burnett: "RE: how do I force secure ASP.NET session cookies?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: MSOWebPartPage_AnonymousAccessCookie
... Well I'm trying to get better WAN performance out of SPS. ... I've never seen anything in this cookie ... this cookie which would be picked up by a custom authentication filter - ... cookie was a session cookie that I could use to avoid having to keep ...
(microsoft.public.sharepoint.portalserver.development)
Re: ADFS Token Auth clarification
... cookie is a session cookie, ... Session cookies are shared across a browser process. ... Windows opened by that process. ...
(microsoft.public.windows.server.active_directory)
Re: CSS, CSS & let me give you some more CSS
... I think we are getting away from the original topic, CSS and how it effects ... Basically the general agreement is that cookie stealing via embedded code is ... >> In this case the best protection is to change session cookie ...
(Vuln-Dev)
Re: CSS, CSS & let me give you some more CSS
... > I think we are getting away from the original topic, CSS and how it effects ... > Basically the general agreement is that cookie stealing via embedded code is ... >>> In this case the best protection is to change session cookie ...
(Vuln-Dev)
LWP cookies
... The cookies header contains a bunch of stuff, ... cookie" that expires. ... That is the cookie and value when this code was originally got (some ... Clearly some current correct session cookie is being sent and all ...
(comp.lang.perl.misc)