Securing cookies in ASP.NET
Question
i know this question has been asked many times but i dont know why im unable to sort out this issue
<system.web>
<httpCookies httpOnlyCookies="true" requireSSL="false" domain=""/>
<sessionState mode="InProc" customProvider="DefaultSessionProvider" timeout="20" cookieName="id">
</system.web>
but its not working as required
can someone help me how to get it fixed or what im doing wrong .
i have tried to get it fixed in code in Global.asax on App
protected void Application_EndRequest()
{
foreach (string s in Response.Cookies.AllKeys)
{
if (s.ToLower() == "id")
{
Response.Cookies[s].HttpOnly = true;
}
}
}
Enviroment: ASP.NET MVC
Regards
1 answers
solution1
1 2017-02-23 06:56:41
This will help you.
There are two ways, one httpCookies element in web.config allows you to turn on ReqiresSSL. The secure attribute instructs the browser to include the cookie only in requests that are sent over an SSL/TLS connection.
The httpOnlyCookies attribute politely asks the web browser to not share a cookie with scripts or Applets. For session cookies, this attribute should always be true. As with the secure attribute, httpOnly can only be seen when a cookie is set in a response.
https://stackoverflow.com/a/6190050/1891919
https://www.jardinesoftware.net/2015/10/13/securing-the-net-cookies/
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.