Friday, October 25, 2013

Secure your cookies!

As we are building more and more web applications in the Cloud, security becomes a key aspect of every application. Before we felt a little bit more safe behind the company firewall but these days are gone…

And as your security is as strong as your weakest link, it is important to understand every aspect of it. One possible risk is the (wrong) usage of cookies. Most of the time when you create a cookie inside your ASP.NET application, you  don’t want to read it on the client. With a tool like, it becomes very easy to steal someone's authentication cookie. How can we prevent this? In ASP.NET, you have to set the HttpOnly flag to true when creating a cookie:

Unfortunately the default for HttpOnly=false, so if you forget to set it somewhere you’re in trouble. Probably better is to set HTTP only as the default for all cookies to via the web.config:

<httpCookies httpOnlyCookies="true" />

More info:

1 comment:

Shruti Ramalingam said...
This comment has been removed by a blog administrator.