Seure Cookie

Question

User-1432295049 posted

Hi,

I am facing one issue to make cookie secure.

Appsec Team want to make the cookie secure and Httponly for one of the application exposed on internet which works on https. The SSL Certificate is installed in reverse proxy server.So the communication is as below.

Client------https (SSL)---->Reverse proxy---http---->Web UI Server

The issue is, if we make the cookie secure, the Application will not read the cookie as the communication between RP and UI Server is on http. Please suggest.

Regards,

Saurabh

Answer 1

User527778624 posted

Hi,

check this site, may help u:

http://en.wikipedia.org/wiki/SSL_termination_proxy

Answer 2

User-1151753377 posted

Hi Saurabh,

Welcome to the ASP.NET forum.

Based on my understanding, you could try to write the following code in your EndRequest Event handler. This code can be added in an HttpModule or in your global.asax file.

if (Response.Cookies.Count > 0)
 {
     foreach (string s in Response.Cookies.AllKeys)
     {
         if (s == FormsAuthentication.FormsCookieName || s.ToLower() == “asp.net_sessionid”)
         {
              Response.Cookies[s].Secure = true;
         }
     }
 }

Forms Authentication cookie can also be marked secured by setting the requireSSL attribute in the tag in the web configuration file.

Further information you could refer to the links below:

http://anubhavg.wordpress.com/?s=why+we+need+to+mark+the+cookies+as+secured

http://security.stackexchange.com/questions/1518/how-to-ensure-that-cookies-are-always-sent-via-ssl-when-using-asp-net-on-iis-7-5

 

If there’s anything else I can do for you on this matter, please feel free to contact me at any time.

Best Regards,

Summer