Secure Flag for ASPXAUTH Cookie
We have an externally facing application which was penetration-tested by an external security company. Application has been developed on ASP.NET MVC4 and running on IIS8/Windows 2012 Server.
One of the vulnerabilities reported was ASPXAUTH is not secure. When I checked on the cookie inspector, there are some cookies with Secure flag. But ASPXAUTH was not one of them.
I did a bit of research, and set these flags below on the web.config
<forms loginUrl="~/Account/Login" timeout="2880" requireSSL="" name="AppName" />
and
<httpCookies httpOnlyCookies="true" requireSSL="true" />
Despite these settings, the authentication cookie is not marked as secure. I assumed that thse flags should be enough to mark application cookies as secure, but there are a few other cookies which are also not marked as secure. I am not too concerned about them as they don't contain any sensitive information. But I would like to flag ASPXAUTH as secure.
My questions are,
- With these flags set on the web.config, is having ASPXAUTH without secure flag a security issue?
- If so, could you tell me what the correct way is to mark it as secure.
thanks.
Answer
I found this piece of code to which made my authentication cookie secure. I cant remember the source of this but if you add it to your global.asax, it sorts the issue. I do not know why but requireSSL=true in your tag was not enough to make it secure.
protected void Application_EndRequest(Object sender, EventArgs e)
{
string authCookie = FormsAuthentication.FormsCookieName;
foreach (string sCookie in Request.Cookies)
{
if (sCookie.Equals(authCookie))
{
// Set the cookie to be secure. Browsers will send the cookie
// only to pages requested with https
var httpCookie = Response.Cookies[sCookie];
if (httpCookie != null) httpCookie.Secure = true;
}
}
}