5

I have included the below lines of codes in my Web.Config and Glbal.asax.cs files, but still when I use developer tools in the browser I the secure flags were not set for the below cookies. Also Configured SSLSettings in my IIS (selected checkbox requireSSL).

I would like to set the secure attribute to all cookies, not only to received but also to sent cookies.

In Web.config:

<httpCookies requireSSL="true"/>

In Global.asax.cs:

protected void Application_EndRequest(object sender, EventArgs e)
        {
            if (Request.IsSecureConnection == true && HttpContext.Current.Request.Url.Scheme == "https")
            {
                Request.Cookies["ASP.NET_SessionID"].Secure = true;
                if (Request.Cookies.Count > 0)
                {
                    foreach (string s in Request.Cookies.AllKeys)
                    {
                        Request.Cookies[s].Secure = true;
                    }
                }

                Response.Cookies["ASP.NET_SessionID"].Secure = true;
                if (Response.Cookies.Count > 0)
                {
                    foreach (string s in Response.Cookies.AllKeys)
                    {
                        Response.Cookies[s].Secure = true;
                    }
                }
            }
        }

Then I have hosted my application on IIS 7.5 on my local machine. And enabled RequireSSL option in SSL Settings. When I click Browse *.443(https), I could see localhost running with HTTPS but when I check cookie attributes in the browser, the secure flag is not set.

Am I missing any configuration here?

Screenshot of developer tools, where a recieved cookie is marked as secure but sent cookies are not.

Anders
  • 64,406
  • 24
  • 178
  • 215
Tech Learner
  • 193
  • 1
  • 2
  • 6

1 Answers1

9

Your confusion is the result not of a coding or configuration error, but of a misunderstanding about how cookies work.

When the server wants to create or change a cookie, it does so with the Set-Cookie response header. There, the server can also specify how the browser should treat the cookie, e.g. how long to keep it, if it is secure or not, etc. This information is only sent once, when the cookie is first created.

At every request, the client sends all the cookies to the server in the Cookies request header. It then only sends the names and values. The additional information (e.g. the secure flag) is not sent. Those are instructions from the server to the client, and there is no need for the client to repeat the instructions back to the server.

So, a cookie is "secure" if the server included the secure flag in the Set-Cookie header. What the client then sends in the Cookies header is irrelevant. Trying to mark the request cookies as secure, as you do, therefore makes little sense.

So why are the sent cookies not reported as secure in your developer tools? It is simply because the field is not applicalbe to them, and therefore left blank. I don't know how to do it in IE, but if you switch to Chrome you can get a list of all cookies under the "Application" tab, and you can easily see which ones are marked as secure.

Disclaimar: I am not an ASP.NET programmer.

Anders
  • 64,406
  • 24
  • 178
  • 215
  • How to check the same in IE – Tech Learner Oct 12 '17 at 14:25
  • I don't think IE lets you check if a cookie is marked with the "secure" flag, or at least I can't find where. You can see it if you log the request where the cookie is first set, in the view that you took a screenshot of. But after that, I don't know. – Anders Oct 12 '17 at 14:39