locked
How to set most secure cookie without framework usage in C# RRS feed

  • Question

  • User-1350516731 posted

    Hello all!

    What parameters do I need to add with cookie for security efficiency?

    Thank you for your assistance!

    Wednesday, September 12, 2018 4:47 AM

Answers

  • User283571144 posted

    Hi Alex9,

    As far as I know, if we want to secure the cookie in C#, I suggest you could add below web config to make your cookie more security.

    <system.web>
      <httpCookies httpOnlyCookies="true" requireSSL="true" lockItem="true" />
    </system.web>

    The lockItem attribute ensures that other web.config's cannot override these settings.

    The requireSSL attribute instructs the browser to include the cookie only in requests that are sent over an SSL/TLS connection.In effect the cookie will be missing in requests to addresses starting with http://, but will be included in requests to addresses served over https://. This attribute is read by the browser when the cookie is set, in subsequent requests the secure flag will be included in neither request nor response.

    The HttpOnly attribute politely asks the web browser to not share a cookie with scripts or Applets. For session cookies, this attribute should always be true. As with the secure attribute, httpOnly can only be seen when a cookie is set in a response.

    Best Regards,

    Brando

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, September 12, 2018 7:12 AM

All replies

  • User283571144 posted

    Hi Alex9,

    As far as I know, if we want to secure the cookie in C#, I suggest you could add below web config to make your cookie more security.

    <system.web>
      <httpCookies httpOnlyCookies="true" requireSSL="true" lockItem="true" />
    </system.web>

    The lockItem attribute ensures that other web.config's cannot override these settings.

    The requireSSL attribute instructs the browser to include the cookie only in requests that are sent over an SSL/TLS connection.In effect the cookie will be missing in requests to addresses starting with http://, but will be included in requests to addresses served over https://. This attribute is read by the browser when the cookie is set, in subsequent requests the secure flag will be included in neither request nor response.

    The HttpOnly attribute politely asks the web browser to not share a cookie with scripts or Applets. For session cookies, this attribute should always be true. As with the secure attribute, httpOnly can only be seen when a cookie is set in a response.

    Best Regards,

    Brando

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, September 12, 2018 7:12 AM
  • User-1350516731 posted

    Thank you, Brando! Could you represent this in native client javascript?

    Wednesday, September 12, 2018 9:54 PM