Secure Cookie Attribute

Secure Cookie Attribute

Overview

The secure attribute is an option that can be set by the application server when sending a new cookie to the user within an HTTP Response. The purpose of the secure attribute is to prevent cookies from being observed by unauthorized parties due to the transmission of the cookie in clear text. To accomplish this goal, browsers which support the secure attribute will only send cookies with the secure attribute when the request is going to an HTTPS page. Said in another way, the browser will not send a cookie with the secure attribute set over an unencrypted HTTP request. By setting the secure attribute, the browser will prevent the transmission of a cookie over an unencrypted channel.

Setting the Secure Attribute

Following sections describes setting the Secure Attribute in respective technologies.

ASP.NET

Set the following in Web.config: <httpCookies requireSSL="true" />

For some objects that have a requireSSL property, like the forms Authentication Cookie, set the requireSSL="true" attribute in the web.config for that specific element. For example:

<code><authentication mode="Forms"></code>
  <code><forms loginUrl="member_login.aspx"</code>
         <code>cookieless="UseCookies"</code>
         <code>'''requireSSL="true"'''</code>
         <code>path="/MyApplication" /></code>
<code></authentication></code>  

Which will enable the secure attribute on the Forms Authentication cookie, as well as checking that the http request is coming to the server over SSL/TLS connection. Note that in case TLS is offloaded to a load balancer, the requireSSL solution wouldn’t work.

Alternatively, the cookies can be set to secure programmatically using the following code by adding a EndRequest event handler to the Global.asax.cs file:

protected void Application_EndRequest(Object sender, EventArgs e) {
    // Iterate through any cookies found in the Response object.
    foreach (string cookieName in Response.Cookies.AllKeys) {
        Response.Cookies[cookieName]?.Secure = true;
    }
} 

 

How can I set the 'secure' flag for cookies in an ASP.NET MVC website?

The suggested way around this is to secure the session ID and form request cookies when handling page requests, e.g.

// This code will mark the forms authentication cookie and the
// session cookie as Secure.
if (Response.Cookies.Count > 0)
{
    foreach (string s in Response.Cookies.AllKeys)
    {
        if (s == FormsAuthentication.FormsCookieName || s.ToLower() == "asp.net_sessionid")
        {
             Response.Cookies[s].Secure = true;
        }
    }
}

as well as an additional line in the webconfig for securing form auth tokens:

<authentication mode="Forms">
   <forms ...  requireSSL="true" />
</authentication>

2020 - EDIT:

As requested in the comments, it is possible to configure this using only IIS rewrite rules as well, by checking the cookie for the secure flag and adding it if it's not found, e.g.:

<system.webServer>
  <rewrite>
    <outboundRules>
      <rule name="Use only secure cookies" preCondition="Unsecured cookie">
        <match serverVariable="RESPONSE_SET_COOKIE" pattern=".*" negate="false" />
        <action type="Rewrite" value="{R:0}; secure" />
      </rule>
      <preConditions>
        <preCondition name="Unsecured cookie">
          <add input="{RESPONSE_SET_COOKIE}" pattern="." />
          <add input="{RESPONSE_SET_COOKIE}" pattern="; secure" negate="true" />
        </preCondition>
      </preConditions>
    </outboundRules>
  </rewrite>
...
</system.webServer>

Sources: Securing Request-Response cookies - Secure forms authentication via Web.config - How to Enable Secure HttpOnly Cookies in IIS

 

 

ASP MVC 3 cookie losing HttpOnly and Secure flags

Try this, looks like a similar issue. (How can I set the Secure flag on an ASP.NET Session Cookie?)

In the <system.web> element, add the following element:

<httpCookies requireSSL="true" />

However, if you have a <forms> element in your system.web\authentication block, then this will override the setting in httpCookies, setting it back to the default false.

In that case, you need to add the requireSSL="true" attribute to the forms element as well.

So you will end up with:

<system.web>
  <authentication mode="Forms">
    <forms requireSSL="true">
        /* forms content */
    </forms>
  </authentication>
</system.web>

 

https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies

A cookie with the Secure attribute is sent to the server only with an encrypted request over the HTTPS protocol, never with unsecured HTTP (except on localhost), 

微软的FormsAuthentication也遵守这个，它的cookie会正常下发，也会提交到localhost和127.0.0.1。但是asp.net不会去解析，导致FormsAuthentication的cookie secure，在http下失效。

 

作者:Chuck Lu    GitHub