6

I have an application that runs on SSL, I have already added the following into my web.config, under System.Web.

<httpCookies requireSSL="true" httpOnlyCookies="true" lockItem="true" />

But I still get one unsecured cookie by the name of "cookieSesssion1". It's not being marked as secure.

Can you please let me know I can mark it as secure.

EDIT: In addition to the Web.config directive, I have the following code in my Global.asax file as well.

protected void Application_EndRequest(object sender, EventArgs e)
{
    if (Response.Cookies.Count > 0)
    {
        foreach (string s in Response.Cookies.AllKeys)
        {
            Response.Cookies[s].Secure = true;
        }
    }
}

Following is the screenshot of a firebox debug: enter image description here

What am I missing, please help

progrAmmar
  • 2,606
  • 4
  • 29
  • 58
  • Maybe [this](https://msdn.microsoft.com/library/ms228262(v=vs.100).aspx) - `This setting is overridden by any other feature that exposes the requireSSL configuration (for example: the forms Element for authentication (ASP.NET Settings Schema)).` ? – EdSF Feb 25 '16 at 02:14
  • Is this cookiesession1 are related to some Secure Token Service cookies? – Dhanuka777 Feb 25 '16 at 04:24
  • Nope I am using a normal session in the application, I am not even referencing this cookie – progrAmmar Feb 26 '16 at 01:14

1 Answers1

2

The FortiWeb Web Application Firewall (WAF) session cookie named is cookiesession1

For the first HTTP/HTTPS request from a client, FortiWeb embeds a cookie in the response’s Set-Cookie: field in the HTTP header. It is named cookiesession1. (FortiWeb does not use source IP addresses and timestamps alone for sessions: NAT can cloak multiple clients; clocks can be altered.)

http://help.fortinet.com/fweb/537/Content/FortiWeb/fortiweb-admin/http_sessions_security.htm

http://help.fortinet.com/fweb/536/Content/FortiWeb/fortiweb-admin/global_object_white_list.htm

ishakkulekci
  • 811
  • 1
  • 10
  • 9