views:

52

answers:

1

I have set the httpCookies requireSSL value to true in web.config and run the web app on my local machine without https running. All runs fine apart from when I try and read the Request.Cookie.

Its not there. I assume because I don't have SSL enabled it never created it but there was no warning that it failed. I only know when I try to read a cookie value.

Should it not warn you?

+1  A: 

No. What the setting does is that it sends the 'Secure' parameter when setting the cookie. After receiving a cookie with that parameter, the client should only send it back to the server when the connection used is secure.

That's is why the client is not sending back the cookie and you're not seeing it. Also, the server should not send set this type of cookie over an insecure connection.

See RFC-2109, section 4.2.2 for the explanation on how the 'Secure' attribute is used and interpreted.

Gonzalo
I have thrown an Exception if the cookie does not exist!
Jon