RequireSSL – Marking Cookies As Secure

If your site always intends to serve its content over HTTPS/SSL then every request that is passes between the browser\webserver will encrypt the cookies. Excellent – no one monitoring or sniffing the traffic can see the cookie value. However even if you intend to always use HTTPS if ANY content is supplied over http (javascript files, images, incorrect link to a page) then the cookie will be supplied in plain text and could be vulnerable. It is easy to make a mistake and have a download somewhere using http.

If you intend your site to always use HTTPS to serve pages or if your http downloads do not require authentication then set cookies as secure only. Any HTTP (non HTTPS) request will not include the cookies. If you are unable to set this flag for some reason you may want to reevaluate your appraoach as it really should be set.

For standard forms authentication it can be set like so in the web.config under system.web

<httpCookies requireSSL=true/> 

For OWIN you may need to set a flag like below. You can use a parameter in your app settings to turn it off and on in development\production.

if (ConfigurationManager.AppSettings[“SetMyCookieAsSecure”] == “true”)
cookieSecureOption = CookieSecureOption.Always;



One thought on “RequireSSL – Marking Cookies As Secure

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s