Home/ Questions/Q 7052817
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-28T03:25:45+00:00

I want to secure my cookies, i read about HTTPOnly and Secure cookie flags

  • 0

I want to secure my cookies, i read about “HTTPOnly” and “Secure” cookie flags for the ASP.NET_SessionId cookie.
I create new asp.net project in VS. And in fiddler in Inspectors -> raw i have:

Cookie: DXCurrentThemeMVC=Office2010Black; ASP.NET_SessionId=1gq0t1mi234xyljqnxrzbqfx

Then i modify web.config :

<system.web>
    <compilation debug="true" targetFramework="4.0" />

    <httpCookies httpOnlyCookies="true" requireSSL="true"/>

    <authentication mode="Forms">
      <forms loginUrl="~/Account/Login.aspx" timeout="2880" requireSSL="true" />
    </authentication>

But in fiddler the same data

 Cookie: DXCurrentThemeMVC=Office2010Black; ASP.NET_SessionId=1gq0t1mi234xyljqnxrzbqfx

I think when i add
<httpCookies httpOnlyCookies="true" requireSSL="true"/>
i cant see cookies in fiddler, or cookies will be encrypted. Is this correct result ? Or i have mistake somewhere?

EDIT

and why i dont see in fiddler 

Set-Cookie: ASP.NET_SessionId=ig2fac55; path=/; secure; HttpOnly

but only cookie without set-, and secure, and HttpOnly also in firebug i see the same results

EDIT2
It seems like i find my problem: i host app on iis and in firebug look for cookies, and i have cookies with secure and httpOnly Flags:

ASP.NET_SessionId=98sfd90sdf89sd0f80s8; path=/; secure; HttpOnly
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Take a look at the httpCookies Element session in MSDN.

    httpOnlyCookies sets the HttpOnly flags in response header.
    See Protecting Your Cookies: HttpOnly article.

    requireSSL force the cookie to be transferred through a secure channel, so it’s not removed and is encrypted during the transport.

    • 0