Just a quick tip here. Thanks to John Batdorf for bringing it up. In order to prevent Session Hijacking, when you've got a secure site, it's a good idea to mark your cookies as "secure," meaning that they can't be accessed over HTTP. This prevents folks from being issued cookies over HTTPS then switching to HTTP in order to access the cookie with sniffers or other evil.
There's a few ways to do this in ASP.NET 1.1, here's an easy one. Under 2.0 you can say requireSSL="true" as well and avoid this code altogether (see below). For 1.1, add a handler for End_Request to your Global.asax.
protected override void Application_EndRequest(Object sender, EventArgs e)
string authCookie = System.Web.Security.FormsAuthentication.FormsCookieName;
foreach (string sCookie in Response.Cookies)
if (sCookie == authCookie || sCookie == "ASP.NET_SessionId")
// Force HttpOnly to be added to the cookie header under 1.x
Response.Cookies[sCookie].Path += ";HttpOnly";
//Force all cookies to SSL regardless of web.config settings!
Response.Cookies[sCookie].Secure = true;
The check if we're running under 2.0 is to prevent doubling up on the HttpOnly attribute if code compiled under 1.1 is run under 2.0 and you've set httpOnlyCookies to true.
<httpCookies httpOnlyCookies="true" requireSSL="true" domain="" />
If you're using older versions of IIS, make sure you have this hotfix (274149) to ensure that IIS respects your secure cookies, or better yet, don't serve traffic on port 80.
Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. I am a failed stand-up comic, a cornrower, and a book author.
Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.