How can I set the Secure flag on an ASP.NET Session Cookie, so that it will only be transmitted over HTTPS and never over plain HTTP?
In the <system.web>
element, add the following element:
<httpCookies requireSSL="true" />
However, if you have a <forms>
element in your system.web\authentication
block, then this will override the setting in httpCookies
, setting it back to the default false
.
In that case, you need to add the requireSSL="true"
attribute to the forms element as well.
So you will end up with:
<system.web>
<authentication mode="Forms">
<forms requireSSL="true">
<!-- forms content -->
</forms>
</authentication>
</system.web>