Secure ASP.NET Session Cookies

How to check for insecure cookies

Install the Firecookie extension for Firebug so you can examine the cookie security settings.

Before

Set requireSSL to true.

  <system.web>
    <!-- ... -->
    <httpCookies requireSSL="true"/>
    <!-- ... -->
    <authentication mode="Forms">
      <forms name=".ASPXAUTH"
      loginUrl="~/Login.aspx"
      defaultUrl="~/Default.aspx"
      protection="All"
      timeout="30"
      path="/"
      requireSSL="true"
      slidingExpiration="true"
      cookieless="UseCookies"
      enableCrossAppRedirects="false" />
    </authentication>
    <!-- ... -->
  </system.web>

After

See Also:

• How To: Protect Forms Authentication in ASP.NET 2.0