Secure session cookies in ASP.NET over HTTPS

Question

I got a little curious after reading this /. article over hijacking HTTPS cookies. I tracked it down a bit, and a good resource I stumbled across lists a few ways to secure cook

Answer 1

https://www.isecpartners.com/media/12009/web-session-management.pdf

A 19 page white paper on "Secure Session Management with Cookies for Web Applications"

They cover lots of security issues that I haven't seen all in one spot before. It's worth a read.

Answer 2

The web.config setting to control this goes inside the System.Web element and looks like:

<httpCookies httpOnlyCookies="true" requireSSL="true" />