locked
Session value is not retained when httpCookies requireSSL="true" RRS feed

  • Question

  • User-1284851152 posted
    Dear All,
     
    We have a website(web-forms) developed with Asp.Net 4.0  . It can be accessed with two domain names one with HTTPS and other with HTTP (non-ssl).
    Dynamic Security Scan
    Recently for our website, we did the dynamic security scan, it given the result few security issues and to fix those issues we have added the below settings in the web config file.
     
    <system.web>
    <httpCookies requireSSL="true" />
    </system.web>
    <system.webServer>
    <httpProtocol>
    <customHeaders>
    
    
    <add name="X-Frame-Options" value="SAMEORIGIN" />
    <add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains"/>
    <add name="X-XSS-Protection" value="1; mode=block" />
    <add name="X-Content-Type-Options" value="nosniff" />
    <add name="Content-Security-Policy" value="default-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; frame-ancestors 'self'" />
    </customHeaders> 
    Due to these changes, we are facing an issue with the domain name that doesn't have SSL, the issue is that the website doesn't retain the SESSION values. However, the domain name with SSL is working fine.
    My observation is,
    The website doesn't report any issue when we checked in the local host server(Without SSL) but only in the production it exhibits such issue with the domain that doesn't have SSL.
     
    Please help me to solve this issue.

    Thursday, March 11, 2021 1:52 PM

Answers

  • User475983607 posted

    Please help me to solve this issue.

    There is nothing to solve.  You specifically configured the site to require SSL for http cookies and the site is working as expected.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, March 11, 2021 2:01 PM
  • User753101303 posted

    Hi,

    Yes, I noticed once that this kind of restrictions is not always enforced on localhost likely because it doesn"t leave your own machine. What you see is the expected this behavior ie it tells the browser to  send cookies (implied to another machine) only if using https.

    See for example https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts#when_is_a_context_considered_secure

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, March 11, 2021 2:26 PM

All replies

  • User475983607 posted

    Please help me to solve this issue.

    There is nothing to solve.  You specifically configured the site to require SSL for http cookies and the site is working as expected.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, March 11, 2021 2:01 PM
  • User-1284851152 posted

    @mgebhard

    Thanks for your reply. My only doubt  is that it worked fine when we checked in the local host that don't have SSL.

    Only when we hosted in the Server with domain it throws the error. Please clear this doubt.

    Thursday, March 11, 2021 2:08 PM
  • User753101303 posted

    Hi,

    Yes, I noticed once that this kind of restrictions is not always enforced on localhost likely because it doesn"t leave your own machine. What you see is the expected this behavior ie it tells the browser to  send cookies (implied to another machine) only if using https.

    See for example https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts#when_is_a_context_considered_secure

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, March 11, 2021 2:26 PM
  • User-1284851152 posted

    Thanks a ton. You saved my day.

    Thursday, March 11, 2021 2:29 PM