Enable secure cookies over HTTPS.

By | April 11, 2017

It is important to realize that although a website might be running under HTTPS it does not guarantee that the session information is not accessible from normal HTTP requests. When a session cookie is generated it is important to make sure that the cookie can only be transmitted over a secure HTTP connection (HTTPS).

There is an vulnerability called POODLE which would take advantage of sites that allowed for the session cookie information to be transmitted over an unsecure connection. This would allow for man in the middle attacks where the attacker can downgrade a secure http connection to an unsecure http connection and still transmit the cookie information.

With ws-federation it will require a configuration change in the issuing STS. Note the cookieHandler is attribute “requireSsl” is set to “true”

<system.identityModel.services>
<federationConfiguration>
<cookieHandler requireSsl="true" mode="Chunked" path="/"></cookieHandler>
</federationConfiguration>
</system.identityModel.services>

For asp.net websites that might be generating other cookies, the configuration change is similar. Change the requireSSL attribute to “true”.

<system.web>
<httpCookies httpOnlyCookies="true" requireSSL="true" lockItem="true" />
</system.web>

You might also be interested in these posts.

Securing Http with HSTS in IIS
How to disable insecure cipher suits.
Remove the IIS version from HTTP response header
Custom Error Pages
Securing website access control

Leave a Reply

Your email address will not be published.