Troy Hunt did a great blog post about how and why you should secure your cookies.
They are 2 important lessons you can learn from this post:
- Lesson 1: if you don’t need to read the cookie value on the client, disable this function. In ASP.NET you can set this as the default for all cookies through the web.config:
- <httpCookies httpOnlyCookies="true" />
- Lesson 2: allow your cookies to be send only over HTTPS. And again this can be set in the web.config in ASP.NET :
- <httpCookies requireSSL="true" />