Enable secure cookies over HTTPS.

By | April 11, 2017

It is important to realize that although a website might be running under HTTPS it does not guarantee that the session information is not accessible from normal HTTP requests. When a session cookie is generated it is important to make sure that the cookie can only be transmitted over a secure HTTP connection (HTTPS).

There is an vulnerability called POODLE which would take advantage of sites that allowed for the session cookie information to be transmitted over an unsecure connection. This would allow for man in the middle attacks where the attacker can downgrade a secure http connection to an unsecure http connection and still transmit the cookie information.

With ws-federation it will require a configuration change in the issuing STS. Note the cookieHandler is attribute “requireSsl” is set to “true”

<system.identityModel.services>
<federationConfiguration>
<cookieHandler requireSsl="true" mode="Chunked" path="/"></cookieHandler>
</federationConfiguration>
</system.identityModel.services>

For asp.net websites that might be generating other cookies, the configuration change is similar. Change the requireSSL attribute to “true”.

<system.web>
<httpCookies httpOnlyCookies="true" requireSSL="true" lockItem="true" />
</system.web>

You might also be interested in these posts; all related the POODLE vulnerability.

Securing Http with HSTS in IIS
How to disable insecure cipher suits.

4 thoughts on “Enable secure cookies over HTTPS.

  1. Pingback: How to disable insecure cipher suits. – Wayne Clifford Barkers' Blog

  2. Pingback: Securing Http with HSTS in IIS – Wayne Clifford Barkers' Blog

  3. Pingback: Secure HTTP without HSTS – Wayne Clifford Barkers' Blog

  4. Pingback: Top 10 things to do to secure a web application. – Wayne Clifford Barkers' Blog

Leave a Reply

Your email address will not be published. Required fields are marked *