I got a little curious after reading this /. article over hijacking HTTPS cookies. I tracked it down a bit, and a good resource I stumbled across lists a few ways to secure cookies here. Must I use adsutil, or will setting requireSSL in the httpCookies section of web.config cover session cookies in addition to all others (covered here)? Is there anything else I should be considering to harden sessions further?
+3
A:
http://www.isecpartners.com/files/web-session-management.pdf
A 19 page white paper on "Secure Session Management with Cookies for Web Applications"
They cover lots of security issues that I haven't seen all in one spot before. It's worth a read.
Aaron Wagner
2008-09-10 14:12:26
Good read. One thing to note, their summary of how to set cookie domains is not accurate for most browser implementations. The RFC specifies that cookies with domain ".example.com" should be retransmitted for requests for example.com or any subdomain of example.com. Whereas blank domains (which get turned into "example.com") will only be retransmitted to the example.com domain. In practice browsers will retransmit cookies from a domain to all child domains regardless of the leading period. So in practice leaving the domain blank offers no security advantage.
Matt Woodard
2010-10-21 19:53:20