I'm trying to set all cookies to Secure and HTTPOnly, and in web.config > system.web I set this:
<httpCookies httpOnlyCookies="true" requireSSL="true" />
Next when I set the actual cookies on the login page, I'm doing this (and confirm while debugging they are set properly):
myCookie.HttpOnly = True
If Request.IsSecureConnection.Equals(True) Then
myCookie.Secure = True
End If
But when I get to the destination page and print out the cookie info, I clearly shows that they are not set:
ASP.NET_SessionId = 50yahcmaeayyipj1vkubava0; Secure = False; HTTPOnly = False
SSOLoggedIn = True; Secure = False; HTTPOnly = False
Here is the login process if it makes any difference:
User logs in on login.aspx gets redirected to default.aspx which is a frameset, then the main window is loaded with a Splash page that shows a spinner while homepage.aspx loads. It's on homepage.aspx that the cookies are printed out in a debug output; just
checked and they are false on the splash page as well.
I confirmed that we are in HTTPS the whole time.
Having set this in code, I never would have expected them to not retain these settings, but this was picked up in our Web Application Scan for vulnerabilities.
Any assistance would be gratefully appreciated.
Thanks,
JW
John Waller DocXellent.com
