Twitter LinkedIn

CODE: SECURE YOUR SITECORE COOKIES

  • By Andy Burns
Andy Burns

Setting the Secure Flag

 So, a Sitecore site I've been working on recently underwent a penetration test, which turned up an interesting item. 

The ASP.NET_SessionId and SC_ANALYTICS_GLOBAL_COOKIE cookies aren't set with the 'Secure' flag.  

Furthermore, my own checking showed that the .ASPXAUTH token was also set without the 'Secure' flag.
As the entire site is only served over HTTPS, this seems to be a bit remiss.

Fortunately, there are a couple of easy fixes to this that can be set in the Web.config

Under and set requireSSL:



And in set requireSSL too.



This latter one is needed for the .ASPXAUTH cookie, but that seems to do it.

Don't forget to set the HTTPOnly flag as appropriate for your cookies too!

Andy Burns
Senior Developer, 3chillies

 

3chillies Reading (HQ) Unit 6, Beacontree Plaza, Gillette Way Reading Berkshire RG2 0BS 0118 931 4196 Find us
3chillies London Threeways House, 40-44 Clipstone Street London, W1W 5DW 01189 314196

Our Partners

  • microsoft partner logo
  • sitecore logo
  • WIREHIVE LOGO
  • umbraco logo
  • EpiServer logo
  • bima logo
scroll back to the top of the current web page