Home/ Questions/Q 7682075
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-31T18:29:02+00:00

I’ve been seeing a trend in my log files recently of user agent Microsoft

  • 0

I’ve been seeing a trend in my log files recently of user agent “Microsoft URL Control – 6.01.9782” causing issues. When I trace the IP it comes from China or India. Our website is very local specific so we get very few visitors from outside of the city.

The interesting thing that’s new is that I’m seeing a valid logged in user via openID. My guess as to what is happening is that the users computers cookies are being cloned and a virus is hijacking the session. I’m using built in asp.net authentication to handle my cookies and Microsoft doesn’t include any checks for IP or user agent so I know I can copy cookies and forge a log in.

I have seen both Google and Facebook accounts log in like this.

My questions are:

A) Is there an easy way to make asp.net authentication more secure?

B) What should I do about these accounts? (best practice) I don’t collect any personal information and have no way to contact some of my users.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You can use the HttpOnly that prevents client-side script from accessing the cookie via the document.cookie property. Cookies will still roundtrip but will be inaccessible by scripts and will not be stolen.

    With ASP.NET 1.1, add in Global.asax the code bellow:

    protected void Application_EndRequest(Object sender, EventArgs e)
{    
    foreach(string cookie in Response.Cookies)    
    {        
        const string HTTPONLY = ";HttpOnly";        
        string path = Response.Cookies[cookie].Path;       
        if (path.EndsWith(HTTPONLY) == false)       
        {            
            //force HttpOnly to be added to the cookie           
            Response.Cookies[cookie].Path += HTTPONLY;        
        }    
    }
}

    With ASP.NET 2.0 and above, you can use the web.config:

    <system.web>
    <httpCookies httpOnlyCookies="true" />
</system.web>

    If the security is something very important in your system, a better approach is to invest in a SSL (Secure Sockets Layer) connection to your site. You can then set a cookie property that causes the cookie to be transmitted only if a SSL connection is present. SSL does not protect the cookie from being read or manipulated while it is on the user’s computer, but it does prevent the cookie from being read while in transit because the cookie is encrypted.
    This approach requires the acquisition of a SSL certificate.

    This can be done in the httpcookies element of web.config.

    <system.web>
    <httpCookies requireSSL="true" />
</system.web>

    If the connection is not SSL the cookie is not sent to the server.

    See more:

    ASP.NET Cookies FAQ

    Design and Deploy Secure Web Apps with ASP.NET 2.0 and IIS 6.0

    • 0