14

In my ASP.NET MVC 4 application I use a third-party service. And one of the service's terms of use is adding to all session cookies HttpOnly and Secure attributes.

WebSite hosted on Windows Azure and works on SSL.

I added to root web.config the following settings:

<httpCookies httpOnlyCookies="true" requireSSL="true" lockItem="true"/>

<authentication mode="Forms">
    <forms loginUrl="~" timeout="2880" requireSSL="true" />
</authentication>

So now my application session cookie ".ASPXAUTH" has HttpOnly and Secure attributes.

But the main problem that Azure Balancer "WAWebSiteSID" and "ARRAffinity" cookies don't have this attributes.

Could you help me to find appropriate solution to add missing attributes to them?

pryabov
  • 702
  • 2
  • 7
  • 23

2 Answers2

24

I don't believe you can modify the secure and HttpOnly attributes as the cookies are added to the response downstream of the app (i.e. by a load balancing appliance that sits in front of the site).

Of course the pragmatic question is "why"? What advantage would you gain by not allowing client script or an MitM on the wire to access these cookies? They're nothing more than bytes of data intended to tie clients to site instances and contain nothing of a personal nature nor provide any conceivable upside for an attacker (at least not that I can think of).

The answer is probably "because it keeps a security scanning tool happy" which may make you feel warm and fuzzy, but of course it doesn't actually change the practical security position of the site one iota.

Troy Hunt
  • 20,345
  • 13
  • 96
  • 151
  • " but of course it doesn't actually change the practical security position of the site one iota." Could you detail why this doesn't? I understand but not everyone does. – rollsch Jan 06 '17 at 00:21
  • 1
    It makes you look like less of a target to potential attackers. – nmit026 Feb 09 '17 at 03:07
  • @Troy If it doesn't change the practical security position then I recommend you make a note on this on Asafaweb since the user of your tool will see the warning and naturally assume there's a problem that should be addressed. – Matthew Mar 26 '17 at 15:59
  • Now, let's look from a different side and think what BAD will happen if those cookies would be made http only? They will not be tracked by site analytics snippet? Or what? – Konstantin Apr 18 '17 at 01:20
0

As of June 24, 2017, this is changing and ARRAffinity cookies will be set with the HttpOnly flag in the future. https://github.com/Azure/app-service-announcements/issues/12

Vitor M. Barbosa
  • 3,286
  • 1
  • 24
  • 36