Question

I got a little curious after reading this /. article over hijacking HTTPS cookies. I tracked it down a bit, and a good resource I stumbled across lists a few ways to secure cookies here. Must I use adsutil, or will setting requireSSL in the httpCookies section of web.config cover session cookies in addition to all others (covered here)? Is there anything else I should be considering to harden sessions further?

Was it helpful?

Solution

https://www.isecpartners.com/media/12009/web-session-management.pdf

A 19 page white paper on "Secure Session Management with Cookies for Web Applications"

They cover lots of security issues that I haven't seen all in one spot before. It's worth a read.

OTHER TIPS

The web.config setting to control this goes inside the System.Web element and looks like:

<httpCookies httpOnlyCookies="true" requireSSL="true" />
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top