Any opinions expressed here are my own and not necessarily those of my employer (I'm self-employed).

Nov 2, 2010

How to secure ASP.NET cookies

The release of Firesheep a week ago brought a lot of attention to a problem that has been known for many, many years: cookies sent over both secure and insecure connections to the same site. Why all the fuzz now? Well, first of all, "regular" people (as in non-geeks) can install Firesheep and start stealing Facebook sessions. With such a demonstration, people realize just how easy it is to "hack" another user's account. Secondly, we're all on Facebook, so we all feel that this affects us personally. We can relate to the risk, and it stirs our emotions. Thirdly, the media loves these kinds of demonstrations and can capitalize on the fear factor. This hack was simple enough and scaled nicely, which made it a good sell.

Now the debate goes on about Firesheep, here's a good blog post on the ethical aspects. In this post I also found a link to Microsoft's Malware center, their antivirus software apparently detects Firesheep as a hacktool. Like it really matters. Firesheep clones will pop up all over the Internet. The only viable path forward is to build websites not vulnerable to trivial eavesdropping attacks.

Firesheep has raised the bar for baseline security in web applications. Before Firesheep, you would be regarded as sloppy or lazy not to have secured your website's cookies. After the release of Firesheep, you're essentially committing a crime against your users — because now you (and they) know that cookies can easily be stolen.

If you need a basic introduction to what cookies are, check out the cookie article on Wikipedia.  The rest of this post discusses more technical aspects of cookie security.

We'll start with the solution. If you're running an ASP.NET site and all the traffic should be served over SSL/TLS, you'll want to add the following configuration to your web.config:

  <httpCookies httpOnlyCookies="true" requireSSL="true" lockItem="true" />

Include this configuration in the web.config in the application's root directory, to ensure that the cookies you are issuing are secured across your entire site. The httpOnlyCookies configuration helps protect cookies from scripting attacks, while the requireSSL setting fixes the Firesheep problem by marking issued cookies as secure. The lockItem attribute ensures that other web.config's cannot override these settings. Here's the documentation on MSDN.

Read on for an explanation on what this configuration means (yes, you should read this too).

Secure cookies
The secure attribute instructs the browser to include the cookie only in requests that are sent over an SSL/TLS connection. In effect the cookie will be missing in requests to addresses starting with http://, but will be included in requests to addresses served over https://. This attribute is read by the browser when the cookie is set, in subsequent requests the secure flag will be included in neither request nor response.

There are some implications with secure cookies. In a cleartext request (http://), the browser will not include the cookie, as it's not sent over a secure channel.  On the server side, this will appear to be a user without a session. Many webapps will then issue a new session cookie by default, which in turn overwrites the old session cookie, and the user loses his session. This is how ASP.NET works by design, upon receiving a request without a valid session cookie, ASP.NET will automatically create a new session identifier and issue a new cookie. So, be prepared for side-effects if you enable secure cookies on an ASP.NET site that contains links to http, or utilizes JavaScript that issues requests for content over http. Make sure alle links and javascript requests are to https:// content!

HttpOnly cookies
The httpOnlyCookies attribute politely asks the web browser to not share a cookie with scripts or Applets. For session cookies, this attribute should always be true. As with the secure attribute, httpOnly can only be seen when a cookie is set in a response.

Modern browsers will prohibit scripts from reading the cookie value when this attribute is set. If scripts make requests to the web application (ajax) , the browser will still include the cookie in the request, but the script never gets direct access to the cookie's value.

For e.g. a Java applet, the security effect is more notable. Requests initiated by an applet will be sent without the httponly cookie. There are several subtle effects of the httponly attribute on applets, depending on which browser and version is in use. These effects deserve a separate blog post — it's upcoming. Still, enable httpOnlyCookies on your site if you can!

Read more about HttpOnly cookies on the OWASP website.


  1. This comment has been removed by the author.

  2. Is there a way to set httpOnlycookies using c# code at global scope?

  3. Yes, use this code in web.config file



  4. Thank you very much for sharing configurations. I will try this code to implement on my website to see how much it works.

  5. Hello I am so delighted I located your I really located you by mistake, while I was watching on google for something else, Anyways I am here now and could just like to say thank for a tremendous post and a all round entertaining website. Please do keep up the great work.

  6. Thank you very much for sharing security roundup that will make me able to get best knowledge about the things that I did not know before.

    Web application security

  7. Firesheep is an innovator.

  8. This comment has been removed by the author.

  9. I think when you are using the ASP.NET framework so you can easily find the cookies saving method in that code. So try new ASP.NET framework for solving your errors.

  10. Thanks for sharing this informative article here about the ASP.NET cookies security. Your article is very informative and useful for us. Browser Leak Test Online

  11. Nice to see this blog. Really this is an amazing blog and also informative and valuable. Visit for
    Website Development Company in Delhi

  12. Really nice blog post.provided a helpful information.I hope that you will post more updates like this Dot NET Online Training Bangalore

  13. I am an academic assignment services provider and Academic Writee, associated with sampleassignment.com since the decade. Sample Assignment is leading plagiarism free assignment help Brisbane Australia, UK, USA. We provide online conflict online assignment help customized assignment help service. We are leading the market for more than a decade now and have acquired the name of being the best academic help service for our comprehensive services at pocket-friendly rates online supply chain online assignment help and We also serve our Service to those who search assignment help Perth.

  14. For students enrolled in Geology, it gets a bit difficult to collect everything and prepare perfect assignments. That is why we at Online Assignment Expert aims at providing effective geology assignment help by experts relating to the same domain. Not just sticking to a single domain, we have extended our academic services to Humanities by delivering supreme quality Humanities assignment help services at pocket friendly prices.

    Finding assistance is easy with Online Assignment Expert. So, contact us by mailing us at contact@onlineassignmentexpert and get promodel simulation assignment help alongside with our unique value added services that includes proofreading, plagiarism check, expert guidance sessions, etc. in no time.

  15. Lyrics.com is a huge collection of song lyrics , album information and featured video clips for a seemingly endless array of artists.

  16. I loved the article, keep updating interesting articles. I will be a regular reader I am offering assignment help to students over the globe at a low price.
    Do My Homework
    Do My Assignment

  17. This comment has been removed by the author.

  18. I loved the article, keep updating interesting articles.and we serve best food according to our customers' reviews we have a specious hall for marriages & special arrangement for kitty parties and other parties. You can visit us at any time we would love to serve with all our heart!
    verdant marriage palace
    verdant Resort
    marriage palace in Pehowa
    Wedding Venue in Pehowa
    Banquet Hall in Pehowa
    Resort in Pehowa
    Best Resorts near Pehowa
    Best marriage palace in Pehowa
    Best Family Restaurant in Pehowa
    Best Veg Restaurant in Pehowa
    Best Non-Veg Restaurant in Pehowa
    Chawlas 2

  19. Many of the people are depressed about the problems of essay writing. Well, don’t worry about that because we are providing this service at a very reasonable price.
    Article Assignment Help
    Essay Assignment Helper
    Essay writing
    Essay writing service
    Dissertation help
    Thesis writing help
    Write My Essay
    Do My Essay
    Hire Cheap Essay Writer
    College Essay Help

  20. Thanks for sharing this information. I have shared this link with other keep posting such information to provide best in class law assignment help online at very affordable prices.
    Course Mentor
    Assignment help
    Homework Help
    Coursework Help
    Become Mentors
    how to be a mentor
    how to become a mentor
    Assignment help
    find a mentor
    how to get a mentor
    how to find a mentor

  21. Thanks for sharing this information. I have shared this link with other keep posting such information to provide best in class law assignment help online at very affordable prices.
    Essay Writer
    seo writing service
    Essay writing service
    Essay writing help
    Write My Essay
    hire seo writer
    hire writer
    Write my essay cheap
    hire article writer

  22. tweakbox download for your android contraption and increase permission to Cydia and other canny applications. I am sure you almost certainly found this guide obliging and it likely given you quality information.

  23. شركة مكافحة حشرات بالاحساء
    الحشرات مزعجة للغاية فى المنزل وخاصة فى فصل الصيف فيبحث الجميع عن طرق للتخلص منها سواء كانت طبيعية أو غيرها من أجل القضاء عليها نهائياً وشركتنا تتخصص فى أعمال الإبادة والقضاء على الحشرات بشكل نهائي وتقدم أفضل النصائح المثالية فى المكافحة والتى تضمن لك الإبادة دون أن تعود الحشرات للمكان مره أخرى وقد جمعت الشركة عدة طرق مختلفة للتخلص من الحشرات المنزلية بمكونات بسيطة للتخلص منها والتى ينتشر وجودها في المنازل الذباب ، البعوض ، النمل ، بق الفراش، الصراصير ، العتة ، الفئران وغيرها ولمنع دخول هذه الحشرات وتكاثرها في المنزل تقدم لك شركة مكافحة حشرات بالإحساء عدد من طرق مكافحة الحشرات والقضاء عليها نهائياً.

  24. شركة تركيب طارد حمام بالاحساء
    يعتبر الحمام من الطيور الأليفة التي لا تحمل الكثير من الأضرار والمخاطر التي تهدد حياة الفرد، لكن كونها تظل طليقة العنان لا ضامن لها من دخولها المنازل مما يسبب الكثير من الفوضى والخسائر المادية التي تكلف الفرد الكثير من الأموال وتسبب الانزعاج للجميع، لدخولها بشكل مباشر للمنزل دون سابق إنذار، لذلك تهتم شركة طارد حمام بالإحساء أفضل الخدمات المتاحة بأفضل الإمكانيات المتوفرة التي تهتم بمكافحة الحمام وتهتم بتركيب عدد كافي من العوازل الذي يقوم بعزل المنطقة بكاملها حرصا على توفير أفضل سبل الراحة، والتغلب على الانزعاج الذي يسببه دخول مثل هذه الطيور كما توفر الشركة عدد مختلف من الطوارد التي تتناسب مع كافة الأسطح المراد عزلها.

  25. The law rules out attentiveness except if the records to be revealed are advantaged. mejoresvpn

  26. 90minup ข่าวกีฬา ฟุตบอล ผลบอล วิเคราะห์บอล พรีเมียร์ลีก ฟุตบอลไทย

  27. Thanks for sharing. We would like to let you know At Nerd Bakery, you can buy fresh-baked delicious and crunchy chocolate chip cookies online. Visit us on buy chocolate chip cookies

  28. A well-written Custom Term Papers contains a title, abstract, introduction, literature review, methods, results, discussion and references. The company offers Custom Essay Writing Services to the Customers.

  29. I have to say that you are on the right track. This will be loved by several individuals as it is detailed and interesting. All the best for your future work.
    Sky dubai

  30. Hello, I have browsed most of your posts. This post is probably where I got the most useful information for my research. Thanks for posting, we can see more on this. Are you aware of any other websites on this subject.
    Assignment Help

  31. Getting reliable and competent Professional Proposal Writers is no longer an easy task as most of the current providers are unreliable and provide poor Nursing Essay Writing Service that do not let students get high scores.

  32. I am glad that I saw this post. It is informative blog for us and we need this type of blog thanks for share this blog, Keep posting such instructional blogs and I am looking forward for your future posts.
    Cyber Security Projects for Final Year

    JavaScript Training in Chennai

    Project Centers in Chennai

    JavaScript Training in Chennai

  33. Custom Assignment Writing Service should also strive to ensure that all Custom Essay Service work meets the standards of the examining bodies.Hence ensure that all Research Papers for Sale submissions are unique and original.

  34. Research Papers Writing Services should strive to ensure that all essays meets the pukka standards of the examining bodies. Consider hiring quality but also Qualified Research Paper Writers which are advantageous in terms of ensuring you get only top-quality grades on your Online Research Paper Writing Service.

  35. CASA98 บริการ แทงบอลออนไลน์ แทงบอลเดี่ยว บอลเต็ง บอลสเต็ป
    สมัคร casa98

  36. When your application creates a HTTP Cookie in the browser, it does a couple of things most folks are aware of. It stores a key-value data pair on the client’s browser for future use within our application. This process is very informative helpful for all internet users. Dissertation writing service.

  37. I am glad that I saw this post. It is informative blog for us and we need this type of blog thanks for share this blog, Keep posting such instructional blogs and I am looking forward for your future posts.
    Cyber Security Projects for Final Year

    JavaScript Training in Chennai

    Project Centers in Chennai

    JavaScript Training in Chennai

  38. Thanks for such smart and easy-to-follow guide!


Copyright notice

© André N. Klingsheim and www.dotnetnoob.com, 2009-2018. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to André N. Klingsheim and www.dotnetnoob.com with appropriate and specific direction to the original content.

Read other popular posts