Web Connection
Cookie Does Not Contain The "secure" Attribute
Gravatar is a globally recognized avatar based on your email address. Cookie Does Not Contain The "secure" Attribute
  Stein Goering
  All
  Jul 14, 2022 @ 10:04am

This is another complaint we get from customers running security scans against our app.

Is there a way to ensure that cookies have the secure flag set by default? Or do I just need to go through the source looking for AddCookie instances? I'll admit that I haven't paid much attention to WC cookie creation - mostly relying on the framework handle it.

--stein

Gravatar is a globally recognized avatar based on your email address. re: Cookie Does Not Contain The "secure" Attribute
  Rick Strahl
  Stein Goering
  Jul 14, 2022 @ 11:42am

The secure flag is not set by default but the options to do so are on the various methods. The default generated projects use secure Session cookies - and you can manually set this in one place by adding the secure parameter to the InitSession() call.

For the explicit AddCookie() calls you have you go through and explicitly add the secure header.

Can't really change the default because that can potentially affect behavior of existing applications.

+++ Rick ---

© 1996-2022