Secure Flag for ASPXAUTH Cookie

后端未结

关注

 4  579

天涯浪人 2021-02-07 21:37

We have an externally facing application which was penetration-tested by an external security company. Application has been developed on ASP.NET MVC4 and running on IIS8/Windows

4条回答

隐瞒了意图╮ (楼主)

2021-02-07 22:05

I found this piece of code to which made my authentication cookie secure. I cant remember the source of this but if you add it to your global.asax, it sorts the issue. I do not know why but requireSSL=true in your tag was not enough to make it secure.

  protected void Application_EndRequest(Object sender, EventArgs e)
    {
        string authCookie = FormsAuthentication.FormsCookieName;

        foreach (string sCookie in Request.Cookies)
        {
            if (sCookie.Equals(authCookie))
            {
                // Set the cookie to be secure. Browsers will send the cookie
                // only to pages requested with https
                var httpCookie = Response.Cookies[sCookie];
                if (httpCookie != null) httpCookie.Secure = true;
            }
        }
    }

0 讨论(0)

查看其它4个回答