Thread: Cookies over SSL

Hello,

My customer requires that cookies be sent via SSL to pass the McAfee security scan.

This is what I have done so far:

Modified the forms authentication tag in the web.config file, added requireSSL="true".
Modified SetCookie function in applogic.cs, added cookie.Secure = true;
Modified SetSessionCookie function in applogic.cs, added cookie.Secure = true;

Thus far, these settings have not been enough to flag the cookie as secure. I am still working on this, however, if anyone has already implemented it, I would appreciate any information about additional steps.

I am using version 9.

Thank you,
M. Thompson

The mcafee security scan will pass with non-secured cookies, you just need to explain to them that there is no sensitive information contained in the cookies and that the cookie is used only to make a better shopping experience.

I have explained this to my customer. They do not consider that an acceptable solution.

The customer considers the cookies being secure a go live requirement even though it is a low level security flag and no sensitive information is passed.

Unless im wrong, and I dont think I am, setting the cookies as secure would mean the entire site would have to run on https as a secure cookie written wont be read on http.

Hi,

Our PCI scan is also failing because the ASPDNSFGUID cookie is not marked as secure. I have added this to the web.config - <httpCookies httpOnlyCookies="true" requireSSL="true" lockItem="true" /> - and it secures all the cookies except ASPDNSFGUID. The site runs in https.

Lisa