Secure flag not set to Cookies in .Net application

c# asp.net asp.net-mvc-3 cookies session-cookies

2296 观看

1回复

507 作者的声誉

I have included below line of codes in my Web.Config and Glbal.asax.cs file still when I use developer tools in browser I could see secure flag not set to the below Cookies.

Also Configured SSLSettings in my IIS(Selected checkbox requireSSL).

I would like to set Secure attribute to all Cookies not only to received but also to Sent cookies. Any suggestion please.

In Web.config:

<httpCookies requireSSL="true"/>

In Global.asax.cs:

protected void Application_EndRequest(object sender, EventArgs e)
        {
            if (Request.IsSecureConnection == true && HttpContext.Current.Request.Url.Scheme == "https")
            {
                Request.Cookies["ASP.NET_SessionID"].Secure = true;
                if (Request.Cookies.Count > 0)
                {
                    foreach (string s in Request.Cookies.AllKeys)
                    {
                        Request.Cookies[s].Secure = true;
                    }
                }

                Response.Cookies["ASP.NET_SessionID"].Secure = true;
                if (Response.Cookies.Count > 0)
                {
                    foreach (string s in Response.Cookies.AllKeys)
                    {
                        Response.Cookies[s].Secure = true;
                    }
                }
            }
        }

In Browser:enter image description here

作者: Ask_SO 的来源 发布者: 2017 年 9 月 15 日

回应 1


1

109 作者的声誉

There are two ways, one httpCookies element in web.config allows you to turn on requireSSL which only transmit all cookies including session in SSL only and also inside forms authentication, but if you turn on SSL on httpcookies you must also turn it on inside forms configuration too.

<form>
<httpCookies requireSSL="true" />
作者: G01 发布者: 2017 年 9 月 15 日
32x32