How can I set the Secure flag on an ASP.NET Session Cookie?

Question

How can I set the Secure flag on an ASP.NET Session Cookie, so that it will only be transmitted over HTTPS and never over plain HTTP?

Answer 1

In the element, add the following element:

However, if you have a element in your system.web\authentication block, then this will override the setting in httpCookies, setting it back to the default false.

In that case, you need to add the requireSSL="true" attribute to the forms element as well.

So you will end up with:

See here and here for MSDN documentation of these elements.