I got a little curious after reading this /. article over hijacking HTTPS cookies. I tracked it down a bit, and a good resource I stumbled across lists a few ways to secure cookies here. Must I use adsutil, or will setting requireSSL in the httpCookies section of web.config cover session cookies in addition to all others (covered here)? Is there anything else I should be considering to harden sessions further?
Add a comment
|
2 Answers
https://www.isecpartners.com/media/12009/web-session-management.pdf
A 19 page white paper on "Secure Session Management with Cookies for Web Applications"
They cover lots of security issues that I haven't seen all in one spot before. It's worth a read.
2 Comments
Matt Woodard
Good read. One thing to note, their summary of how to set cookie domains is not accurate for most browser implementations. The RFC specifies that cookies with domain ".example.com" should be retransmitted for requests for example.com or any subdomain of example.com. Whereas blank domains (which get turned into "example.com") will only be retransmitted to the example.com domain. In practice browsers will retransmit cookies from a domain to all child domains regardless of the leading period. So in practice leaving the domain blank offers no security advantage.
Stelloy
Link has moved to isecpartners.com/media/12009/web-session-management.pdf
The web.config setting to control this goes inside the System.Web element and looks like:
<httpCookies httpOnlyCookies="true" requireSSL="true" />
1 Comment
Brad Patton
I got here from Google and at first it wasn't clear what the answer was so adding this for the next guy.