1

Would you please help me. I'm a bit confused on how to use the attribute [RequiresHttps] and the <httpCookies requireSSL="true" />. My question is:

If I use <authentication mode="Forms"> <forms requireSSL="true"> and <httpCookies requireSSL="true" /> then I don't need to use the attribute [RequiresHttps]?

In my opinion, <httpCookies requireSSL="true" /> instructs the application to manage the auth cookie with https.

Improve this question

1 Answer 1

Reset to default
1

In order to have a secure website you need to use

  1. RequiresHttps which force the request to be served only for https and I recommend setting this attribute as global filter
  2. Set the attribute <httpCookies requireSSL="true" httpOnlyCookies="true" /> where httpOnlyCookies disable the capability of accessing the cookies from client side scripts and requireSSL forces all cookies to be passed only through secured http requests

For more details about the securing cookies please refer to this article by Troy Hunt

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thank you. two more questions... 1. so, I always have to use the attribute RequireHttps and <httpCookies requireSSL="true" /> wherever my app manage to receive important info, it's not one or another for a better security in specific scenarios is good to use both? 2. where am I supposed to check your answer as correct in order to notice to other persons that your answer fulfill my expectations?
Hello, first you should use both https and secure cookies in all scenarios not just for important info such as login and you can check the following link for more details troyhunt.com/2013/05/…, second you should mark it if you feel that it is well written and works for you also check this for details meta.stackexchange.com/questions/5234/…

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.