none
Setting Cookies to Secure and HTTPOnly but they are not when tested RRS feed

  • Question

  • I'm trying to set all cookies to Secure and HTTPOnly, and in web.config > system.web I set this:

        <httpCookies httpOnlyCookies="true" requireSSL="true" />

    Next when I set the actual cookies on the login page, I'm doing this (and confirm while debugging they are set properly):

        myCookie.HttpOnly = True
        If Request.IsSecureConnection.Equals(True) Then
            myCookie.Secure = True
        End If

    But when I get to the destination page and print out the cookie info, I clearly shows that they are not set:

        ASP.NET_SessionId = 50yahcmaeayyipj1vkubava0; Secure = False; HTTPOnly = False
         SSOLoggedIn = True; Secure = False; HTTPOnly = False  

    Here is the login process if it makes any difference:

    User logs in on login.aspx gets redirected to default.aspx which is a frameset, then the main window is loaded with a Splash page that shows a spinner while homepage.aspx loads. It's on homepage.aspx that the cookies are printed out in a debug output; just checked and they are false on the splash page as well.

    I confirmed that we are in HTTPS the whole time.

    Having set this in code, I never would have expected them to not retain these settings, but this was picked up in our Web Application Scan for vulnerabilities.

    Any assistance would be gratefully appreciated.

    Thanks,

    JW


    John Waller DocXellent.com

    Monday, October 16, 2017 3:34 PM

All replies

  • Hi John,

    Welcome to the MSDN forum.

    Refer to your description, your issue is about ASP.NET development. Since our forum is to discuss the VS IDE, please redirect to this appropriate forum: https://forums.asp.net/ and start a new thread to seek for a more professional support, thank you for your understanding.

    Best regards,

    Sara


    MSDN Community Support Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com

    Tuesday, October 17, 2017 1:46 AM