Re: ASP.NET Cookie Handling

From: Dominick Baier <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Wed, 30 Aug 2006 17:24:55 +0000 (UTC)

Hi,

the session feature is not designed for such security features - there is no requireSSL setting e.g. - so session cookies will always be sent - regardless of SSL.

You could append the secure attribute manually though.

---
Dominick Baier, DevelopMentor
http://www.leastprivilege.com

I have some questions about persistent and session cookie handling
that I can't quite get ironed out.

I have two applications. One is Framework 1.1, W2K3 / IIS6, the other
is 2.0, W2K3 / IIS6. For both, HTTPS / SSL is enabled, but not forced,
because we use redirection to direct users that request HTTP to HTTPS
for the sake of usability. The questions are:

For persistent cookies, will the client and server use both HTTP and
HTTPS for each cookie operation? Everything that I have read points to
"yes", unless the cookie employes the "secure" option, in which case
only HTTPS will be used.

The question is the same for session cookies. Since the cookie is sent
as a header, I would think it would be only HTTPS, but I would have
thought the same thing about persistent cookies. Are cookie headers
sent only via HTTPS in this scenario or will they use HTTP as well?

Also, I noticed that both Frameworks seem vulnerable to the issue
where browsing to non-HTTPS pages causes the same session ID to be
used for HTTP and HTTPS. This isn't fixed in 2.0 / IIS 6?

Thanks so much for any help! I've read the rfc docs, cookie specs, and
articles on MSDN, but can't quite find a definitive answer. And
unfortunetly, it's impossible to tell on the client side. I've used
Fiddler to view mixed content pages, but unfortunetly, client-side
every object appears as SSL, regardless of how it was delivered.

Prev by Date: Re: Windows Authentication in VB.Net Application
Next by Date: Re: Windows Authentication in VB.Net Application
Previous by thread: Re: Client certificate error with web services
Next by thread: Re: ASP.NET Cookie Handling
Index(es):
- Date
- Thread

Relevant Pages

Re: Perl and Online Banking
... navigate to the https site that list my account details. ... The session is usually opened through the use of cookies. ... LWP will take care of accepting new cookies from the server ... server will send you an HTML page that contains javascript code. ...
(comp.lang.perl.misc)
Re: ASP.NET Cookie Handling
... Persistent vs. session for cookies just determines whether the browser will ... that force SSL only as with persistent cookies? ... because we use redirection to direct users that request HTTP to HTTPS ...
(microsoft.public.dotnet.security)
Re: ASP.NET Cookie Handling
... now that I see that ASP reuses the same session ID. ... Persistent vs. session for cookies just determines whether the browser will ... that force SSL only as with persistent cookies? ... because we use redirection to direct users that request HTTP to HTTPS ...
(microsoft.public.dotnet.security)
Re: Sessions/Cookies between sites
... Session variables are still retained when switching from ... http to https, I never knew it was a bug, I hope Microsoft ... session variables and cookies will not be shared ...
(microsoft.public.inetserver.asp.db)
Re: Caching .txt files
... Regardless of your seemingly self consumed nature I still stand by ... Regardless, if you want a flash-less solution, you could ... needs to store around 500k of data, otherwise it uses cookies to store ... ISTM that yes, it does not only require Flash, but also a very particular ...
(comp.lang.javascript)