Disclaimer

Any opinions expressed here are my own and not necessarily those of my employer (I'm self-employed).

Nov 2, 2010

How to secure ASP.NET cookies

The release of Firesheep a week ago brought a lot of attention to a problem that has been known for many, many years: cookies sent over both secure and insecure connections to the same site. Why all the fuzz now? Well, first of all, "regular" people (as in non-geeks) can install Firesheep and start stealing Facebook sessions. With such a demonstration, people realize just how easy it is to "hack" another user's account. Secondly, we're all on Facebook, so we all feel that this affects us personally. We can relate to the risk, and it stirs our emotions. Thirdly, the media loves these kinds of demonstrations and can capitalize on the fear factor. This hack was simple enough and scaled nicely, which made it a good sell.

Now the debate goes on about Firesheep, here's a good blog post on the ethical aspects. In this post I also found a link to Microsoft's Malware center, their antivirus software apparently detects Firesheep as a hacktool. Like it really matters. Firesheep clones will pop up all over the Internet. The only viable path forward is to build websites not vulnerable to trivial eavesdropping attacks.

Firesheep has raised the bar for baseline security in web applications. Before Firesheep, you would be regarded as sloppy or lazy not to have secured your website's cookies. After the release of Firesheep, you're essentially committing a crime against your users — because now you (and they) know that cookies can easily be stolen.

If you need a basic introduction to what cookies are, check out the cookie article on Wikipedia.  The rest of this post discusses more technical aspects of cookie security.

We'll start with the solution. If you're running an ASP.NET site and all the traffic should be served over SSL/TLS, you'll want to add the following configuration to your web.config:


<system.web>
  <httpCookies httpOnlyCookies="true" requireSSL="true" lockItem="true" />
</system.web>


Include this configuration in the web.config in the application's root directory, to ensure that the cookies you are issuing are secured across your entire site. The httpOnlyCookies configuration helps protect cookies from scripting attacks, while the requireSSL setting fixes the Firesheep problem by marking issued cookies as secure. The lockItem attribute ensures that other web.config's cannot override these settings. Here's the documentation on MSDN.

Read on for an explanation on what this configuration means (yes, you should read this too).

Secure cookies
The secure attribute instructs the browser to include the cookie only in requests that are sent over an SSL/TLS connection. In effect the cookie will be missing in requests to addresses starting with http://, but will be included in requests to addresses served over https://. This attribute is read by the browser when the cookie is set, in subsequent requests the secure flag will be included in neither request nor response.

There are some implications with secure cookies. In a cleartext request (http://), the browser will not include the cookie, as it's not sent over a secure channel.  On the server side, this will appear to be a user without a session. Many webapps will then issue a new session cookie by default, which in turn overwrites the old session cookie, and the user loses his session. This is how ASP.NET works by design, upon receiving a request without a valid session cookie, ASP.NET will automatically create a new session identifier and issue a new cookie. So, be prepared for side-effects if you enable secure cookies on an ASP.NET site that contains links to http, or utilizes JavaScript that issues requests for content over http. Make sure alle links and javascript requests are to https:// content!

HttpOnly cookies
The httpOnlyCookies attribute politely asks the web browser to not share a cookie with scripts or Applets. For session cookies, this attribute should always be true. As with the secure attribute, httpOnly can only be seen when a cookie is set in a response.

Modern browsers will prohibit scripts from reading the cookie value when this attribute is set. If scripts make requests to the web application (ajax) , the browser will still include the cookie in the request, but the script never gets direct access to the cookie's value.

For e.g. a Java applet, the security effect is more notable. Requests initiated by an applet will be sent without the httponly cookie. There are several subtle effects of the httponly attribute on applets, depending on which browser and version is in use. These effects deserve a separate blog post — it's upcoming. Still, enable httpOnlyCookies on your site if you can!

Read more about HttpOnly cookies on the OWASP website.

43 comments:

  1. This comment has been removed by the author.

    ReplyDelete
  2. Is there a way to set httpOnlycookies using c# code at global scope?

    ReplyDelete
  3. Yes, use this code in web.config file
    under

    ...

    .....

    ReplyDelete
  4. Thank you very much for sharing configurations. I will try this code to implement on my website to see how much it works.

    ReplyDelete
  5. Hello I am so delighted I located your I really located you by mistake, while I was watching on google for something else, Anyways I am here now and could just like to say thank for a tremendous post and a all round entertaining website. Please do keep up the great work.

    ReplyDelete
  6. Thank you very much for sharing security roundup that will make me able to get best knowledge about the things that I did not know before.

    Web application security

    ReplyDelete
  7. Firesheep is an innovator.

    ReplyDelete
  8. This comment has been removed by the author.

    ReplyDelete
  9. I think when you are using the ASP.NET framework so you can easily find the cookies saving method in that code. So try new ASP.NET framework for solving your errors.

    ReplyDelete
  10. Thanks for sharing this informative article here about the ASP.NET cookies security. Your article is very informative and useful for us. Browser Leak Test Online

    ReplyDelete
  11. Nice to see this blog. Really this is an amazing blog and also informative and valuable. Visit for
    Website Development Company in Delhi

    ReplyDelete
  12. Really nice blog post.provided a helpful information.I hope that you will post more updates like this Dot NET Online Training Bangalore

    ReplyDelete
  13. I am an academic assignment services provider and Academic Writee, associated with sampleassignment.com since the decade. Sample Assignment is leading plagiarism free assignment help Brisbane Australia, UK, USA. We provide online conflict online assignment help customized assignment help service. We are leading the market for more than a decade now and have acquired the name of being the best academic help service for our comprehensive services at pocket-friendly rates online supply chain online assignment help and We also serve our Service to those who search assignment help Perth.

    ReplyDelete
  14. For students enrolled in Geology, it gets a bit difficult to collect everything and prepare perfect assignments. That is why we at Online Assignment Expert aims at providing effective geology assignment help by experts relating to the same domain. Not just sticking to a single domain, we have extended our academic services to Humanities by delivering supreme quality Humanities assignment help services at pocket friendly prices.

    Finding assistance is easy with Online Assignment Expert. So, contact us by mailing us at contact@onlineassignmentexpert and get promodel simulation assignment help alongside with our unique value added services that includes proofreading, plagiarism check, expert guidance sessions, etc. in no time.

    ReplyDelete
  15. Lyrics.com is a huge collection of song lyrics , album information and featured video clips for a seemingly endless array of artists.

    ReplyDelete
  16. I loved the article, keep updating interesting articles. I will be a regular reader I am offering assignment help to students over the globe at a low price.
    Do My Homework
    Do My Assignment

    ReplyDelete
  17. This comment has been removed by the author.

    ReplyDelete
  18. I loved the article, keep updating interesting articles.and we serve best food according to our customers' reviews we have a specious hall for marriages & special arrangement for kitty parties and other parties. You can visit us at any time we would love to serve with all our heart!
    verdant marriage palace
    verdant Resort
    marriage palace in Pehowa
    Wedding Venue in Pehowa
    Banquet Hall in Pehowa
    Resort in Pehowa
    Best Resorts near Pehowa
    Best marriage palace in Pehowa
    Best Family Restaurant in Pehowa
    Best Veg Restaurant in Pehowa
    Best Non-Veg Restaurant in Pehowa
    Chawlas 2

    ReplyDelete
  19. Many of the people are depressed about the problems of essay writing. Well, don’t worry about that because we are providing this service at a very reasonable price.
    Article Assignment Help
    Essay Assignment Helper
    Essay writing
    Essay writing service
    Dissertation help
    Thesis writing help
    Write My Essay
    Do My Essay
    Hire Cheap Essay Writer
    College Essay Help

    ReplyDelete
  20. Thanks for sharing this information. I have shared this link with other keep posting such information to provide best in class law assignment help online at very affordable prices.
    Course Mentor
    Assignment help
    Homework Help
    Coursework Help
    Become Mentors
    how to be a mentor
    how to become a mentor
    Assignment help
    find a mentor
    how to get a mentor
    how to find a mentor

    ReplyDelete
  21. Thanks for sharing this information. I have shared this link with other keep posting such information to provide best in class law assignment help online at very affordable prices.
    Essay Writer
    seo writing service
    Essay writing service
    Essay writing help
    Write My Essay
    hire seo writer
    hire writer
    Write my essay cheap
    hire article writer

    ReplyDelete

Copyright notice

© André N. Klingsheim and www.dotnetnoob.com, 2009-2018. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to André N. Klingsheim and www.dotnetnoob.com with appropriate and specific direction to the original content.

Read other popular posts