Re: ASP.NET Cookie Handling
- From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 30 Aug 2006 23:37:31 -0500
You can set the secure (or http only flag for that matter) on both session
and persistent cookies. If you set the secure option, the browser will only
send the cookie on an HTTPS channel, regardless of cookie type.
Persistent vs. session for cookies just determines whether the browser will
save the cookie to the file system and whether it can be used by multiple
browser processes or not.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Aaron Sanders" <AaronSanders@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:2EFD0358-26CB-48B5-9E8F-EF1AF1340B00@xxxxxxxxxxxxxxxx
Ok, so in my mind I'm tying the word session to an HTTPS session, but
really
it's any ASP session, whether encrypted or not. The session is tracked
regardless. Is there a secure option for session cookies. If there is,
will
that force SSL only as with persistent cookies? Sorry, I come from a PHP
background and am not that familliar with ASP.NET yet.
"Dominick Baier" wrote:
Hi,
the session feature is not designed for such security features - there is
no requireSSL setting e.g. - so session cookies will always be sent -
regardless
of SSL.
You could append the secure attribute manually though.
---
Dominick Baier, DevelopMentor
http://www.leastprivilege.com
I have some questions about persistent and session cookie handling
that I can't quite get ironed out.
I have two applications. One is Framework 1.1, W2K3 / IIS6, the other
is 2.0, W2K3 / IIS6. For both, HTTPS / SSL is enabled, but not forced,
because we use redirection to direct users that request HTTP to HTTPS
for the sake of usability. The questions are:
For persistent cookies, will the client and server use both HTTP and
HTTPS for each cookie operation? Everything that I have read points to
"yes", unless the cookie employes the "secure" option, in which case
only HTTPS will be used.
The question is the same for session cookies. Since the cookie is sent
as a header, I would think it would be only HTTPS, but I would have
thought the same thing about persistent cookies. Are cookie headers
sent only via HTTPS in this scenario or will they use HTTP as well?
Also, I noticed that both Frameworks seem vulnerable to the issue
where browsing to non-HTTPS pages causes the same session ID to be
used for HTTP and HTTPS. This isn't fixed in 2.0 / IIS 6?
Thanks so much for any help! I've read the rfc docs, cookie specs, and
articles on MSDN, but can't quite find a definitive answer. And
unfortunetly, it's impossible to tell on the client side. I've used
Fiddler to view mixed content pages, but unfortunetly, client-side
every object appears as SSL, regardless of how it was delivered.
.
- Follow-Ups:
- Re: ASP.NET Cookie Handling
- From: Aaron Sanders
- Re: ASP.NET Cookie Handling
- References:
- Re: ASP.NET Cookie Handling
- From: Dominick Baier
- Re: ASP.NET Cookie Handling
- Prev by Date: Re: PKI confusion...
- Next by Date: Re: PKI confusion...
- Previous by thread: Re: ASP.NET Cookie Handling
- Next by thread: Re: ASP.NET Cookie Handling
- Index(es):
Relevant Pages
|
