How can I set the Secure flag on an ASP.NET Session Cookie?

asp.net-session ssl-security
Alex picture Alex · Sep 18, 2009 · Viewed 201.3k times · Source

How can I set the Secure flag on an ASP.NET Session Cookie, so that it will only be transmitted over HTTPS and never over plain HTTP?

Answer

Martin Eden picture Martin Eden · May 31, 2011

In the <system.web> element, add the following element:

<httpCookies requireSSL="true" />

However, if you have a <forms> element in your system.web\authentication block, then this will override the setting in httpCookies, setting it back to the default false.

In that case, you need to add the requireSSL="true" attribute to the forms element as well.

So you will end up with:

<system.web>
    <authentication mode="Forms">
        <forms requireSSL="true">
            <!-- forms content -->
        </forms>
    </authentication>
</system.web>

See here and here for MSDN documentation of these elements.

Related questions

What is the difference between Session.Abandon() and Session.Clear()

What is the difference between destroying a session and removing its values? Can you please provide an example demonstrating this? I searched for this question, but don't grasp total answer. Some answers are: Session.Abandon() destroys the session Session.Clear() …

Read More
How to get a session value in cshtml file in ASP.Net MVC4

Pls help me out, the value is storing in the session for the particular user ,When i am retrieving the session value from cshtml, It is showing the PC-username instead of the particular username present in the data base. please …

Read More
ASP.NET MVC 3 - Dealing with Session variables

I have an app which uses Form's Authentication and when the user log's in, I retrieve the user's actual name and assign that to a session variable, like so: [HttpPost] public ActionResult LogOn(LogOnModel model, string returnUrl) { if (ModelState.IsValid) { …

Read More