How to ensure that cookies are always sent via SSL when using ASP.NET on IIS 7.5?

You can use app.config to force it; the format is (in the <system.web> section)

<httpCookies domain="String"
             httpOnlyCookies="true|false" 
             requireSSL="true|false" />

so you really want, at a minimum

<httpCookies requireSSL='true'/>

But preferably you'll also turn httpOnlyCookies on, unless you're doing some really hooky javascript.


The safest way to protect your site against Firesheep (and related attacks):

  • Move to site-wide SSL protection: Move your entire site to HTTPS, and disable all HTTP access. In other words, protect your entire site with SSL. Here are some more resources on doing that: how to protect against Firesheep, pros and cons of site wide SSL, why SSL protects against Firesheep.

  • Set the SECURE flag on all cookies: Whenever the server sets a cookie, arrange for it to set the SECURE flag on the cookie. The SECURE flag tells the user's browser to only send back this cookie over SSL-secure (HTTPS) connections; the browser will never send a SECURE cookie over an unencrypted (HTTP) connection. The simplest step is to set this flag on every cookie your site uses.

Also, I recommend some additional steps:

  • Be careful about third-party content: Third-party widgets, libraries, and content can be a security risk. If you include Javascript from third parties (e.g., via <SCRIPT SRC=...>), I recommend that you make sure they reference HTTPS URLs; otherwise, you are exposing the security of your site to active attacks. (See also Jeremiah Grossman's FAQ on third-party widgets.) To avoid inundating your users with mixed-content warnings, you'll want to ensure that all content, including third-party images and libraries, is delivered through HTTPS as well.

Some might argue that the above is overkill. In some cases, it may be possible to protect against Firesheep by using SSL on only part of the site. However, doing so requires care and detailed knowledge, and is trickier to get right. Given that you have to ask the question here, I personally recommend that you start with site-wide SSL; you have a better chance of getting it right.

How to implement this in IIS: I am not an IIS expert, so I cannot give you a definitive recipe on how to implement these steps in IIS. However, this reference on enabling SSL on IIS may be useful to you. It sounds like you can right-click on the site root, choose Properties, click on the Directory Security tab, then in Secure Communications, click Edit and enable Require Secure Channel (SSL). I do not know how to configure IIS to set the SECURE flag automatically on all cookies. For migrating an existing site, I recommend that you set up a redirect so that anyone who visits a HTTP page is redirected to HTTPS. The following references may help with that (untested): redirecting to HTTPS, three methods for redirecting to HTTPS. If migrating an existing site, you will also need to change all links and references to your site from http: URLs to https: URLs. I'm not certain how to configure ASP.NET to set the SECURE flag on all cookies, but I think you can add cookieRequireSSL="true" or <httpCookies requireSSL="true"> to your Web.config; that is important to do, and especially important if you have HTTP enabled or if you have some kind of redirect from HTTP pages to HTTPS pages. Finally, there's a lot of material published on performance tuning for HTTPS.