I'm trying to write a cookie in ASP.NET under https, but I see a plain text cookie in the client machine. Shouldn't the cookie be encrypted by default under an https connection?
+6
A:
Your cookie will only be encrypted during transmission of the cookie to/from your browser. If you want the cookie to be encrypted in the browser's cookie store, you'd need to encrypt it on the server first and then decrypt on the server upon use in server side scripts.
SSL/TLS is just a transport security mechanism to encrypt requests/responses on the wire, it is up to the browser to provide a mechanism to store cookies securely on the client (or as mentioned above, your application can do this).
Kev
2009-06-15 16:21:11
+6
A:
Short answer is no, cookies are not encrypted in ASP.NET under SSL. SSL is a transport-level protocol, encrypting only the communications between the client and server. Cookies and query-string values are NOT encrypted by SSL. Once the cookie is on the client machine, it is left in whatever format it left the server in.
Josh E
2009-06-15 16:22:03
+1
A:
Nope, AFAIK only the transfer is encrypted, the cookie on the client side isn't. You should encrypt it yourself for better security.
streetpc
2009-06-15 16:22:10
A:
This might help you encrypt the cookie. http://www.15seconds.com/Issue/021210.htm
Example uses Triple DES though, that may or may not be the best algorithm depending on your perspective.
Oorang
2009-06-15 16:58:24
Just for future reference, I ended up using this http://69.10.233.10/KB/aspnet/DataEncryption.aspx. It uses the framework classes and a machine key.
Dante
2009-06-16 08:18:19