SecureCookies, HTTPOnly cookies, .Net, and SSL offloading

Question

So I've been looking into implementing HttpOnly and SecureCookies in my web environment. I have an F5 as the load balancer and a couple of C# web applications hosted in iis 7.5 for the website. The .net applications are an old asp.net legacy application and a newer MVC4 application.

I stumbled across this interesting article on how to implement the change. http://geekflare.com/f5-irule-to-secure-cookie-with-httponly-and-secure/

My question is, does setting the flags at the load balancer defeat the purpose? Will .Net honor the flags even if it was the load balancer that put them on?

Thanks, Alex

score 1 · Answer 1 · answered Apr 15 '16 at 16:45

1

Making sure the cookies are only sent via ssl (secure) and making sure only the server can access the cookie (httponly) are client side protections, so it doesn't matter if they are set at the server or the intermediary (BIG-IP)

answered Apr 15 '16 at 16:45

Jason Rahm

396
1
6

SecureCookies, HTTPOnly cookies, .Net, and SSL offloading

1 Answers1