How to check for insecure cookies
Install the Firecookie extension for Firebug so you can examine the cookie security settings.
Before
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9oHyPf5MJbPuz_Ww8MkuIe4foJw75k016UER2cf1PF3zOz-K2JdOb4IjRDy-5uK6GGSHAjLtrNQpU4i34thhK71AmIC0i7Vw4C4NN0-xZWF7LUOQfmIaP5av-rMSmBqHqflq18QzqRi-E/s400/SessionCookies.png)
Set requireSSL to true.
<system.web> <!-- ... --> <httpCookies requireSSL="true"/> <!-- ... --> <authentication mode="Forms"> <forms name=".ASPXAUTH" loginUrl="~/Login.aspx" defaultUrl="~/Default.aspx" protection="All" timeout="30" path="/" requireSSL="true" slidingExpiration="true" cookieless="UseCookies" enableCrossAppRedirects="false" /> </authentication> <!-- ... --> </system.web>
After
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYU0JSIVpuxLcnb7pEbGM9It3OV9VMZS8gRlhKf3rxD1t6wNjY7aXuoGl2enSbft_KOjpRuufIPQp1l_tR8UcPG_-sTpVq3TJ88OVb4k9Udg14PuSTnvHu7_n2ArAx4yW34TPLt1T4_IN6/s400/SessionCookies-Secure.png)
See Also: