1

I need help with securing cookies for my web application. It's deployed in IIS and is built in ASP.NET MVC. These are the things that I need to get more information about

  1. Is the Sites folder in IIS Manager also a virtual directory ?

  2. If Sites is not a virtual directory then a. If website is deployed directly under Sites folder of IIS Manager, then is it really vulnerable for other insecure applications under the same Sites folder? OR b. will it be vulnerability only in case of virtual directories?

  3. By default the path attribute of all cookies point out to root with '/' as its value. Does it point to the hierarchy level of web applications under Sites and will it affect other non secure applications? OR Does it point to just the web application for which the cookies were created?

After going through this article, I raised above questions. Just look for Path Attribute on the page.

If I really need to set the cookies path then there is one more thing, that they are being generated automatically with my web application such as session id, anti forgery token. So I can't set Path property on them since I am not creating them through HttpCookie object.

I am trying to gather as much clear explanations as possible by googling but it's difficult to get the flow clear.

Akshay Raut
  • 113
  • 1
  • 9
  • I feel you maybe on the wrong forum, some of the IIS questions you are asking are more suitable for admins to answer. But to help the 'path' element of a cookie is from the root of the domain. So if you have multiple sites running as applications within the same domain then they can access each others cookies. –  Jun 07 '17 at 07:06
  • @ISMSDEV okay thank you for that. I posted it here because it was related to security that's all. –  Jun 07 '17 at 07:16
  • 1
    FWIW, the path attribute is case sensitive by some browsers whereas IIS is not. This can cause issues so the default is recommended. If this is a security problem, carve out a subdomain just for this site. – user2320464 Jun 07 '17 at 22:32

1 Answers1

0

In IIS Manager, "Sites" is neither a virtual directory, nor is is a "folder." It is a node. Underneath it are all the individual websites defined in IIS. This alone conveys no specific information about whether cookies may or may not be shared across sites.

The browser, which determines which cookies will be sent with which request does not care about how you have defined sites in IIS, or virtual directories that may live underneath those sites...It only cares about the properties of a specific request, and the properties of the set of cookies it is storing, and by comparing the properties of the request with the properties of the cookies, it decides which cookies to send.

Some of the specific properties it may about: The domain or address of the request, the path for the request, the protocol for the request, the domain or address the cookie was set from, the domain property of the cookie, the path property of the cookie, and the secure flag on the cookie.

These values may map to only a single site in IIS, or they may map to multiple sites when you've set up sites using sub-domains. So, there is no general rule. You'll have to examine your configuration to determine which sites will match any given cookie origin.

Xander
  • 223
  • 5
  • 15