Just a quick tip here. Thanks to John Batdorf for bringing it up. In order to prevent Session Hijacking, when you've got a secure site, it's a good idea to mark your cookies as "secure," meaning that they can't be accessed over HTTP. This prevents folks from being issued cookies over HTTPS then switching to HTTP in order to access the cookie with sniffers or other evil.
There's a few ways to do this in ASP.NET 1.1, here's an easy one. Under 2.0 you can say requireSSL="true" as well and avoid this code altogether (see below). For 1.1, add a handler for End_Request to your Global.asax.
This chunk of code is multipurpose, so don't blindly copy-paste. Note that it code also sets the Forms Auth cookie and Session cookie to HttpOnly, but that's not required. If you have JavaScript DOM code that accesses cookies, you won't want those marked HttpOnly.
protected override void Application_EndRequest(Object sender, EventArgs e)
{
string authCookie = System.Web.Security.FormsAuthentication.FormsCookieName;
foreach (string sCookie in Response.Cookies)
if (sCookie == authCookie || sCookie == "ASP.NET_SessionId")
if(System.Environment.Version.Major<2)
// Force HttpOnly to be added to the cookie header under 1.x
Response.Cookies[sCookie].Path += ";HttpOnly";
}
//Force all cookies to SSL regardless of web.config settings!
Response.Cookies[sCookie].Secure = true;
The check if we're running under 2.0 is to prevent doubling up on the HttpOnly attribute if code compiled under 1.1 is run under 2.0 and you've set httpOnlyCookies to true.
<httpCookies httpOnlyCookies="true" requireSSL="true" domain="" />
If you're using older versions of IIS, make sure you have this hotfix (274149) to ensure that IIS respects your secure cookies, or better yet, don't serve traffic on port 80.