Any opinions expressed here are my own and not necessarily those of my employer (I'm self-employed).

Nov 2, 2010

How to secure ASP.NET cookies

The release of Firesheep a week ago brought a lot of attention to a problem that has been known for many, many years: cookies sent over both secure and insecure connections to the same site. Why all the fuzz now? Well, first of all, "regular" people (as in non-geeks) can install Firesheep and start stealing Facebook sessions. With such a demonstration, people realize just how easy it is to "hack" another user's account. Secondly, we're all on Facebook, so we all feel that this affects us personally. We can relate to the risk, and it stirs our emotions. Thirdly, the media loves these kinds of demonstrations and can capitalize on the fear factor. This hack was simple enough and scaled nicely, which made it a good sell.

Now the debate goes on about Firesheep, here's a good blog post on the ethical aspects. In this post I also found a link to Microsoft's Malware center, their antivirus software apparently detects Firesheep as a hacktool. Like it really matters. Firesheep clones will pop up all over the Internet. The only viable path forward is to build websites not vulnerable to trivial eavesdropping attacks.

Firesheep has raised the bar for baseline security in web applications. Before Firesheep, you would be regarded as sloppy or lazy not to have secured your website's cookies. After the release of Firesheep, you're essentially committing a crime against your users — because now you (and they) know that cookies can easily be stolen.

If you need a basic introduction to what cookies are, check out the cookie article on Wikipedia.  The rest of this post discusses more technical aspects of cookie security.

We'll start with the solution. If you're running an ASP.NET site and all the traffic should be served over SSL/TLS, you'll want to add the following configuration to your web.config:

  <httpCookies httpOnlyCookies="true" requireSSL="true" lockItem="true" />

Include this configuration in the web.config in the application's root directory, to ensure that the cookies you are issuing are secured across your entire site. The httpOnlyCookies configuration helps protect cookies from scripting attacks, while the requireSSL setting fixes the Firesheep problem by marking issued cookies as secure. The lockItem attribute ensures that other web.config's cannot override these settings. Here's the documentation on MSDN.

Read on for an explanation on what this configuration means (yes, you should read this too).

Secure cookies
The secure attribute instructs the browser to include the cookie only in requests that are sent over an SSL/TLS connection. In effect the cookie will be missing in requests to addresses starting with http://, but will be included in requests to addresses served over https://. This attribute is read by the browser when the cookie is set, in subsequent requests the secure flag will be included in neither request nor response.

There are some implications with secure cookies. In a cleartext request (http://), the browser will not include the cookie, as it's not sent over a secure channel.  On the server side, this will appear to be a user without a session. Many webapps will then issue a new session cookie by default, which in turn overwrites the old session cookie, and the user loses his session. This is how ASP.NET works by design, upon receiving a request without a valid session cookie, ASP.NET will automatically create a new session identifier and issue a new cookie. So, be prepared for side-effects if you enable secure cookies on an ASP.NET site that contains links to http, or utilizes JavaScript that issues requests for content over http. Make sure alle links and javascript requests are to https:// content!

HttpOnly cookies
The httpOnlyCookies attribute politely asks the web browser to not share a cookie with scripts or Applets. For session cookies, this attribute should always be true. As with the secure attribute, httpOnly can only be seen when a cookie is set in a response.

Modern browsers will prohibit scripts from reading the cookie value when this attribute is set. If scripts make requests to the web application (ajax) , the browser will still include the cookie in the request, but the script never gets direct access to the cookie's value.

For e.g. a Java applet, the security effect is more notable. Requests initiated by an applet will be sent without the httponly cookie. There are several subtle effects of the httponly attribute on applets, depending on which browser and version is in use. These effects deserve a separate blog post — it's upcoming. Still, enable httpOnlyCookies on your site if you can!

Read more about HttpOnly cookies on the OWASP website.


  1. This comment has been removed by the author.

  2. Is there a way to set httpOnlycookies using c# code at global scope?

  3. Yes, use this code in web.config file



  4. Thank you very much for sharing configurations. I will try this code to implement on my website to see how much it works.

  5. Hello I am so delighted I located your I really located you by mistake, while I was watching on google for something else, Anyways I am here now and could just like to say thank for a tremendous post and a all round entertaining website. Please do keep up the great work.

  6. Thank you very much for sharing security roundup that will make me able to get best knowledge about the things that I did not know before.

    Web application security

  7. Firesheep is an innovator.

  8. Thanks for sharing this info. Visit also this source on how to hack someone’s phone for free.

  9. I think when you are using the ASP.NET framework so you can easily find the cookies saving method in that code. So try new ASP.NET framework for solving your errors.

  10. Thanks for sharing this informative article here about the ASP.NET cookies security. Your article is very informative and useful for us. Browser Leak Test Online

  11. Nice to see this blog. Really this is an amazing blog and also informative and valuable. Visit for
    Website Development Company in Delhi

  12. Really nice blog post.provided a helpful information.I hope that you will post more updates like this Dot NET Online Training Bangalore

  13. I am an academic assignment services provider and Academic Writee, associated with sampleassignment.com since the decade. Sample Assignment is leading plagiarism free assignment help Brisbane Australia, UK, USA. We provide online conflict online assignment help customized assignment help service. We are leading the market for more than a decade now and have acquired the name of being the best academic help service for our comprehensive services at pocket-friendly rates online supply chain online assignment help and We also serve our Service to those who search assignment help Perth.

  14. For students enrolled in Geology, it gets a bit difficult to collect everything and prepare perfect assignments. That is why we at Online Assignment Expert aims at providing effective geology assignment help by experts relating to the same domain. Not just sticking to a single domain, we have extended our academic services to Humanities by delivering supreme quality Humanities assignment help services at pocket friendly prices.

    Finding assistance is easy with Online Assignment Expert. So, contact us by mailing us at contact@onlineassignmentexpert and get promodel simulation assignment help alongside with our unique value added services that includes proofreading, plagiarism check, expert guidance sessions, etc. in no time.

  15. Lyrics.com is a huge collection of song lyrics , album information and featured video clips for a seemingly endless array of artists.


Copyright notice

© André N. Klingsheim and www.dotnetnoob.com, 2009-2018. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to André N. Klingsheim and www.dotnetnoob.com with appropriate and specific direction to the original content.

Read other popular posts