ASP.NET - cookieless=UseCookies - only session id in browser? No client cookies?

asp.net security cookieless
woiix picture woiix · Apr 12, 2012 · Viewed 8k times · Source

I'm working on asp.net (4.0) web site. I was trying to use form authentication (). Obviously trying to have some of pages secure. My understanding that best solution for security is to set cookieless="UseCookies" so it not going to write id to URL.

My question is what exactly happening when I use cookieless="UseCookies".

  1. Is session created and some id stored in Browser(~memory which used later to pull info from IIS server side session "cookie") or it's actually spouse to create "regular" client side encrypted cookie?

(I'm obviously trying to avoid writing to URL and to client side cookies - not sure if all that could be avoided)

  1. If it sets ID in Browser does all the browsers allow store session ID in it. If it's not allowed by Browser what is going to happened? Is there a way to pre check it?

So I guess as all of us I'm just trying to build proper secure application if anyone got any other suggestion it will be greatly appreciated.

Tanks a lot,

Answer

bobek picture bobek · Apr 14, 2012

If you allow cookies so set cookieless="false" the sessionID will be stored in the cookie and it'll be accessible throughout the length of the session (which by default is 20 minutes.)

If you allow cookies and the user will have cookies disabled in the browser, sessionID will not be stored anywhere, and every times user creates a new request (by going to another page) he will get new sessionID, thus no data can be kept.

You can use cookieless="true" which will encrypt and append sessionID to the url, so that the user will be able to keep the session even though his cookies are enabled.

There is also a cookieless="AutoDetect" which will determine if the user has cookies disabled or enabled and based on that will either create a cookie with sessionID or throw it to the URL. The downside of this, is that each request to your page is resulting in 3 requests, one request determines if the user has cookies enabled, appends a query string with the result from first request, and third takes the user to appropriate URL.

There is also a setting that will turn cookieless off and on based on data about the browser. So if someone is browsing your page with 10 years old mobile phone it'll probably append cookies to URL as there is no option to allow cookies on that device.

I hope this helps. I personally would message the user to enable cookies and don't even worry about other cases but some people (like my boss, for example) doesn't like the idea and wants everyone supported.

Related questions

What are all the user accounts for IIS/ASP.NET and how do they differ?

Under Windows Server 2008 with ASP.NET 4.0 installed there is a whole slew of related user accounts, and I can't understand which one is which, how to they differ, and which one is REALLY the one that my app runs under. …

Read More
X-Frame-Options Allow-From multiple domains

I have an ASP.NET 4.0 IIS7.5 site which I need secured using the X-Frame-Options header. I also need to enable my site pages to be iframed from my same domain as well as from my facebook app. Currently I have …

Read More
ASP.NET Identity's default Password Hasher - How does it work and is it secure?

I am wondering wether the Password Hasher that is default implemented in the UserManager that comes with MVC 5 and ASP.NET Identity Framework, is secure enough? And if so, if you could explain to me how it works? IPasswordHasher interface …

Read More