in asp.net mvc 4 application use third-party service. , 1 of service's terms of use adding session cookies httponly , secure attributes.
website hosted on windows azure , works on ssl.
i added root web.config following settings:
<httpcookies httponlycookies="true" requiressl="true" lockitem="true"/> <authentication mode="forms"> <forms loginurl="~" timeout="2880" requiressl="true" /> </authentication> so application session cookie ".aspxauth" has httponly , secure attributes.
but main problem azure balancer "wawebsitesid" , "arraffinity" cookies don't have attributes.
could me find appropriate solution add missing attributes them?
i don't believe can modify secure , httponly attributes cookies added response downstream of app (i.e. load balancing appliance sits in front of site).
of course pragmatic question "why"? advantage gain not allowing client script or mitm on wire access these cookies? they're nothing more bytes of data intended tie clients site instances , contain nothing of personal nature nor provide conceivable upside attacker (at least not can think of).
the answer "because keeps security scanning tool happy" may make feel warm , fuzzy, of course doesn't change practical security position of site 1 iota.
Comments
Post a Comment