25

Firesheep has brought the issue of insecure cookie exchanges to the forefront.

How can you ensure that all cookie exchanges are forced to occur only via an SSL-secured connection to the server when you're communicating to a web user?

Our scenario is that the web app is written in ASP.NET 4.0 and hosted on Windows Server 2008 R2 running IIS 7.5 if that narrows the scope some.

AviD
  • 72,138
  • 22
  • 136
  • 218
cpuguru
  • 383
  • 1
  • 4
  • 8
  • You may need to set the cookie's domain property for your cookies, for example: Response.Cookies["your_cookie_name"].Domain = "yourdomain.com"; ... or you can read more information [from here](http://4rapiddev.com/csharp/asp-net-cookie-domains-http-https/) to ensure your cookies can be read from both primary domain and all its sub domains. – Hoan Huynh Mar 26 '12 at 17:28

3 Answers3

23

You can use app.config to force it; the format is (in the <system.web> section)

<httpCookies domain="String"
             httpOnlyCookies="true|false" 
             requireSSL="true|false" />

so you really want, at a minimum

<httpCookies requireSSL='true'/>

But preferably you'll also turn httpOnlyCookies on, unless you're doing some really hooky javascript.

BoffinBrain
  • 101
  • 5
blowdart
  • 859
  • 4
  • 5
19

The safest way to protect your site against Firesheep (and related attacks):

  • Move to site-wide SSL protection: Move your entire site to HTTPS, and disable all HTTP access. In other words, protect your entire site with SSL. Here are some more resources on doing that: how to protect against Firesheep, pros and cons of site wide SSL, why SSL protects against Firesheep.

  • Set the SECURE flag on all cookies: Whenever the server sets a cookie, arrange for it to set the SECURE flag on the cookie. The SECURE flag tells the user's browser to only send back this cookie over SSL-secure (HTTPS) connections; the browser will never send a SECURE cookie over an unencrypted (HTTP) connection. The simplest step is to set this flag on every cookie your site uses.

Also, I recommend some additional steps:

  • Be careful about third-party content: Third-party widgets, libraries, and content can be a security risk. If you include Javascript from third parties (e.g., via <SCRIPT SRC=...>), I recommend that you make sure they reference HTTPS URLs; otherwise, you are exposing the security of your site to active attacks. (See also Jeremiah Grossman's FAQ on third-party widgets.) To avoid inundating your users with mixed-content warnings, you'll want to ensure that all content, including third-party images and libraries, is delivered through HTTPS as well.

Some might argue that the above is overkill. In some cases, it may be possible to protect against Firesheep by using SSL on only part of the site. However, doing so requires care and detailed knowledge, and is trickier to get right. Given that you have to ask the question here, I personally recommend that you start with site-wide SSL; you have a better chance of getting it right.

How to implement this in IIS: I am not an IIS expert, so I cannot give you a definitive recipe on how to implement these steps in IIS. However, this reference on enabling SSL on IIS may be useful to you. It sounds like you can right-click on the site root, choose Properties, click on the Directory Security tab, then in Secure Communications, click Edit and enable Require Secure Channel (SSL). I do not know how to configure IIS to set the SECURE flag automatically on all cookies. For migrating an existing site, I recommend that you set up a redirect so that anyone who visits a HTTP page is redirected to HTTPS. The following references may help with that (untested): redirecting to HTTPS, three methods for redirecting to HTTPS. If migrating an existing site, you will also need to change all links and references to your site from http: URLs to https: URLs. I'm not certain how to configure ASP.NET to set the SECURE flag on all cookies, but I think you can add cookieRequireSSL="true" or <httpCookies requireSSL="true"> to your Web.config; that is important to do, and especially important if you have HTTP enabled or if you have some kind of redirect from HTTP pages to HTTPS pages. Finally, there's a lot of material published on performance tuning for HTTPS.

D.W.
  • 98,420
  • 30
  • 267
  • 572
1

I came across this thread while resolving to issue myself. The resolution I had is that cookie paths are case sensitive. Here is the related question.

https://stackoverflow.com/questions/399982/why-are-cookie-paths-case-sensitive

My resolution was to redirect from the landing page to the correct path. Be sure to look out for possible redirect loops.

url.com/VirtualDirectory/default.aspx ->

//which will now give the correct path url.com/virtualdirectory/default.aspx response.redirect("~/default.aspx");

MichaelChan
  • 225
  • 1
  • 3
  • 8