Thursday, August 6, 2015

Secure Cookie in ASP.NET Application

In a previous blog post, I discusses about the HttpOnly flag in cookies here. In today's blog post, we will be discussing what the secure flag is on a cookie and why we should keep it set.

Secure Flag on Cookie

There is a boolean flag on the cookie called Secure which decides whether to send the cookie on an HTTP request or not. If the flag is set on the cookie, the cookie will not be sent on a regular Http request; it will be transmitted only on Https request.

Imagine if you have a web application which implements Https to be more secure. Once you login, the Authentication cookie (named as .AspNet.ApplicationCookie in my .NET Application) gets set. This cookie gets sent with each subsequent request to inform the server the identity of the logged in user.

If a man in the middle tries to view those requests, they will not be able to see anything as they are encrypted (Https). However, out of multiple requests, if there is even a single request on Http (for example for some resource like Javascript, image, css, etc), the attacker can see all the cookies (including authentication cookie).


Authentication Cookie in .NET

The attacker might be able to convince the user to successfully issue an Http Request through other means (social engineering). Such an Http request poses a serious security vulnerability as authentication cookie is exposed.
Using this authentication cookie, attacker can hijack the victim's session without victim ever even knowing about it.

How To Prevent

In an ASP.NET application, we can set the Secure flag by adding this to web.config:

<httpCookies requireSSL=true/>

This will set the Secure flag on all the cookies.
Or if we want to set it at per cookie level, we can set the HttpCookie.Secure property to true.

Conclusion

So we saw what the secure flag is on a cookie and why we should always set it in our application for cookies carrying sensitive information. This flag does not make the cookie secure from all types of attacks, however, this adds another layer of protection to keep our cookies more secure.
For future updates to my weekly blog, please subscribe to my blog via the "Subscribe By Email" feature at the right and follow me on Twitter. Until then Happy Coding :)

No comments:

Post a Comment