Re: How to enable "Secure" cookie ?



Please clarify what you are trying to accomplish and secure. You never
indicated what sort of application you are talking about, nor what you
are trying to secure. Security is a state of awareness that is
constantly in flux and changing, not a bunch of static settings to
configure and bam everything is magically secure.

I mean, someone briefly suggested that turning off the computer may be
related to computer security. Why don't you try that as well? ;-)

You can't just ask about "cookies" and "security" in the general. For
example, AspKeepSessionIDSecure property is specific to ASP
applications and handled by ASP.DLL itself. The property is stored in
the IIS metabase, but it is not a "setting in IIS". It is not
applicable to other application frameworks like ASP.Net or PHP.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//


On Dec 6, 6:49 am, "Zester" <z...@xxxxxxxxxxxxx> wrote:
What about AspKeepSessionIDSecure property setting? Somebody briefly
suggested that it might be something related cookie security. What does it
do? thanks!

"David Wang" <w3.4...@xxxxxxxxx> wrote in message

news:b45c7e69-6389-4551-b4e4-2741d1587038@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx



On Dec 5, 5:42 pm, "Zester" <z...@xxxxxxxxxxxxx> wrote:
Hi,

Is there a way to enable "security" cookie property? Someone mentioned
to
me that we can make an application's cookie more secure that way. I
assume
that it's a setting in IIS. I'm running version 6. thanks!

What you are asking for is specific to your application framework
(ASP, ASP.Net, PHP, etc) and actually has nothing to do with IIS.
Thus, there will never be a setting in IIS for what you are asking
for. It will always be a setting within your application framework.

IIS is an HTTP server, which is supposed to be stateless, which means
that it does not care about stateful things like cookies nor how
secure they are being used (IIS can ensure secure transport of the
cookie data, but it has no way nor reason to ensure the security of
the cookie data itself nor how that data is used).

//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//- Hide quoted text -

- Show quoted text -

.



Relevant Pages

  • Re: IIS on DMZ
    ... I understand what you mean but security team basically is saying IIS is not ... also on DMZ but firewall opens up only port 80/443 on the proxies. ... But there is no such thing as "perfectly secure". ...
    (microsoft.public.inetserver.iis.security)
  • Re: How to secure IIS?
    ... > Microsoft Security ... > IIS Tools and Checklists ... > List of Services Needed to Run a Secure IIS Computer ... > Baseline Security Procedures for IIS 4.0 Server Builds ...
    (microsoft.public.inetserver.iis.security)
  • OT: Re: Are cookies so important that a dealer would sacrifice a sale over one?
    ... cookie. ... The most secure and relaible involves server ... > I've lost shopping cart items many times because I wanted to use ... >> of cookies is fraught with security issues. ...
    (rec.collecting.coins)
  • Re: IIS OR APACHE
    ... > Now i want to build a strong WEB SERVER and i want your advise on security ... > and what to use ...lunix with apache or xp with IIS ..and which firewall ... Windows is secure in the default install. ...
    (microsoft.public.inetserver.iis.security)
  • Re: IIS on DMZ
    ... "tony" wrote in message ... Lots of companies run IIS 6.0 and have public websites. ... if they are just proxying requests verbatim they are adding no security at all. ... There is only "less secure" and "more secure". ...
    (microsoft.public.inetserver.iis.security)