I got to read a good article explaining the nuances of cookie less sessions which prompted me to note down a few important things. Here is the link to post that started me on this.
To simply enable cookie less session do this -
<sessionState cookieless="true" />
What this will do is that your URL’s start looking like -
http://mysite.com/(22b5c4zyybphaw2mt3hjni2n)/Home.aspx
This is obviously not secure.
However what I want to note here is that even just having cookie based sessions (which is the default setting in .net web applications) is also not secure enough.
So did a bit of binging and found out fairly quickly that best thing to do is obviously setup the whole web site on an SSL. (pretty obvious that one).
However what if there are some pages that are outside the ssl. There is one confusing or very near and related setting in the forms element of the authentication tag that might fool someone which says setup forms element for authentication with requireSSL attribute as true. Now the problem with this is that it does not secure your Session Id cookie. Session Id cookie is generated on the very first hit and transmitted back to client even before your authentication kicks in.
There is another related setting that is called – AspKeepSessionIDSecure. What this does is ensures that Session Id cookie travels only on the https traffic creating another problem of how to handle session id on non ssl pages.
So to secure your session id cookie you go to the global.asax and get into the session start event and simply mark or setup the session id cookie as secure. Here is how you do this -
Request.Cookies("ASP.NET_SessionId").Secure=True
This will mark the session id cookie to be secure.
Some handy resource links on this topic -
http://blogs.msdn.com/b/jaskis/archive/2009/12/23/securing-session-id-asp-asp-net.aspx
http://worldofasp.net/tut/SessionHijack/Securing_Session_In_ASPNET_793.aspx
Comments