Ehsan Ghanbari

Experience, DotNet, Solutions

Cookie stealing in asp.net

You know that the cookie could be stolen by attackers. As nothing is secure until it's designed to be so, to make your cookie safe, firstly use HTTPS and make it required in your Web.config :

 

<httpCookies httpOnlyCookies="true" requireSSL="true" />

 

Personally, I don't store important data in the cookie and I just store a key in the cookie and by using that key I fetch the target data from a database but it doesn't work everywhere and it's not a solution for all the problems at all! Anyway, if you can't use Https, You can config the SSL by code for some sensitive cookies like below:

 

 protected void ForceCookieToBeHttpOnly(string cookieName, string cookieValue)

        {

            HttpCookie myHttpCookie = new HttpCookie(cookieName, cookieValue);

            Response.Cookies.Add(myHttpCookie);

            myHttpCookie.HttpOnly = true;

        }

 

But remember that, the only effective solution is Https.

About Me

Ehsan Ghanbari

Hi! my name is Ehsan. I'm a developer, passionate technologist, and fan of clean code. I'm interested in enterprise and large-scale applications architecture and design patterns and I'm spending a lot of my time on architecture subject. Since 2008, I've been as a developer for companies and organizations and I've been focusing on Microsoft ecosystem all the time. During the&nb Read More

Post Tags
Pending Blog Posts
Strategic design
Factory Pattern
time out pattern in ajax
Selectors in Jquery
Peridic pattern
How to query over Icollection<> of a type with linq
How to use PagedList In asp.net MVC
Domain driven design VS model driven architecture
What's the DDD-lite?
Using Generic type for type casting in F#
comments powered by Disqus