Leaky Application? Secure HTTP Cookies in ASP.NET

Help Application security through not leaking information

Plug the Hole

We are all aware of the importance for securing confidential information in our application, or keeping information out of an attacker’s hands that might be able to be used for malicious intent. But what about the information we don’t know might be used against us? You know, one of those you-don’t-know-what-you-don’t-know, until it’s too late!

Well if we can reduce the data surface that our applications expose, then we would direct reduce the information we are putting into an attacker’s hands.  HTTP Cookies is a highly utilized mechanism for hosting application data to maintain state between different parts of our applications.  Despite what camp you might fall into as far as what information should or should not be put into cookies, we don’t always have the luxury of knowing ahead of time what information could be crucial.  This might be because of the frameworks and third party tools we use and how they utilize cookies or just ignorance of the information being transported.  But at the end of the day, the HTTP Cookies that our application uses can be directly tied to being part of our application’s data surface.

Learn why and how to secure your ASP.NET application’s cookies to help reduce the data surface that your application exposes.  Though, this is utilizing ASP.NET for demonstration purposes, the resulting security measures with HTTP Cookies are agnostic to the language or framework.


About the author

Max McCarty

Max McCarty is a software developer with a passion for breathing life into big ideas. He is the founder and owner of LockMeDown.com and host of the popular Lock Me Down podcast.

  • AlanLW

    Just curious; if we set requireSSL=”true” in web.config and we are not yet using an SSL, would that then cause the built-in MVC identification/log in process to fail until we get SSL established. This is more of a question to make sure I correctly understood the theory you were speaking to. Thx.

    • Hi Alan,
      Basically, yes is the short answer.

      The reason being is that you have to remember that ever request, ever server request or every resource required to be loaded results in a request. By default a browser is going to send along any appropriate (and available) cookie on everyone of those requests.

      The Secure flag when set, ensures that the browser will not inadvertently send along the cookies on any request made over HTTP.

      Therefore, any action on the server side that would require the cookies to accurately perform the action such as fetch additional data for an authenticated user, would not receive the cookie(s) if the request was made over HTTP.

      However, just to point out. Anytime that you are in need of passing any data of any sensitivity it should be done via HTTPS. So cookies that carries authentication information should only ever be transmitted via HTTPS.