问题
After a security audit I got the requirement to set the cookie ASP.NET_sessionID as "secure".
Right now the flag is not set.
Can I use SessionIDManager to set it as secure? I am already using it to change the value of the Session cookie after logging in with this code:
System.Web.SessionState.SessionIDManager manager = new System.Web.SessionState.SessionIDManager();
string oldId = manager.GetSessionID(System.Web.HttpContext.Current);
string newId = manager.CreateSessionID(System.Web.HttpContext.Current);
bool isAdd = false, isRedir = false;
manager.SaveSessionID(System.Web.HttpContext.Current, newId, out isRedir, out isAdd);
EDIT
I saw that I can set
<httpCookies httpOnlyCookies="false" requireSSL="true" />
But I only want to have this one cookie secure
回答1:
This should enable you to set the cookie as secure:
void Application_EndRequest(object sender, EventArgs e)
{
var sessionCookieKey = Response.Cookies.AllKeys.SingleOrDefault(c => c.ToLower() == "asp.net_sessionid");
var sessionCookie = Response.Cookies.Get(sessionCookieKey);
if(sessionCookie != null)
{
sessionCookie.Secure = true;
}
}
回答2:
Simply write the code for pass security audit.
void Session_Start(Object sender, EventArgs e)
{
if (Request.IsSecureConnection)
{
Response.Cookies["ASP.NET_SessionId"].Secure = true;
}
}
来源:https://stackoverflow.com/questions/12182054/is-it-possible-to-mark-the-cookie-asp-net-sessionid-as-secure