4

I know I can set this in the web.config but I want to set it conditionally depending on environment and add it to our core library. I have tried the below code but it does not work.

        HttpCookiesSection cookieSection = (HttpCookiesSection)ConfigurationManager.GetSection("system.web/httpCookies");
        cookieSection.HttpOnlyCookies = true;
        cookieSection.RequireSSL = true;

The error is:

System.Configuration.ConfigurationErrorsException
The configuration is read only.

This kind of approach works fine for app settings. Note: I am not wanting to save the web.config, just change the setting in memory.

It appears from the documentation that this property is get-set.

From the docs:

// Set the RequireSSL.
httpCookiesSection.RequireSSL = false;
mike nelson
  • 21,218
  • 14
  • 66
  • 75
  • Where are you using that? I'd think it's made read-only at some point – Camilo Terevinto Feb 23 '18 at 00:51
  • 1
    Curious: How would an application "change environment" when it's (already) running? – EdSF Feb 23 '18 at 01:15
  • 1
    The same instance could serve multiple domains so you may want to dynamically rewrite this value based on the active host in the request. We have this unusual requirement and it doesn't look like it's possible to do. – keithl8041 Dec 21 '18 at 14:08
  • Hi @mike nelson. Did you find any solution? – dima_horror Feb 04 '21 at 07:40
  • 1
    @dima_horror - nope sorry did not find a solution. BTW our use case for this is wanting to have it automatically enforce this setting in our core library across multiple projects without needing to look at web.config, and also we like to have our have web.config files in sync between dev and prod (not using separate copies for envs). – mike nelson Feb 04 '21 at 19:14
  • @CamiloTerevinto - The application detects its environment based on the URL (which means it needs to be in Application_BeginRequest, as the URL does not exist during Application_Start). Possibly if I ran this code in Application_Start it might work (but then I could not detect the environment...) – mike nelson Feb 04 '21 at 19:15
  • @mikenelson Have you found any solution to this? We are running into the same problem. – SlipEternal Feb 25 '22 at 15:28
  • @SlipEternal - no sorry, had to set it in web.config and have the file different on live – mike nelson Feb 25 '22 at 19:30
  • @mikenelson If you are interested, [here](https://stackoverflow.com/questions/953361/how-to-secure-classic-asp-aspsessionid-cookie) is a link to another answer on stackoverflow that might be interesting. We are discussing whether we want to install the additional software on all of our web servers. Check the third answer down. I bet it could be extended to a generic switch based on the http_host entrypoint (http vs https) to change all cookies to unsecure or secure respectively. – SlipEternal Mar 01 '22 at 19:00
  • @mikenelson We got it to work. Check [here](https://stackoverflow.com/questions/71328698/use-unsecured-cookies-and-secure-cookies-depending-on-context/71338745#71338745) for the syntax. – SlipEternal Mar 03 '22 at 14:24
  • @SlipEternal thanks that urlrewrite approach looks smart and seems like it will achieve a solution – mike nelson Mar 04 '22 at 08:48
  • @mikenelson we uncovered another approach that seems to work. The Request.ServerVariables["HTTPS"] == "on" when the site is reached from HTTPS, and it is "off" when reached via HTTP. Rather than using Response.Cookies to add cookies, you can use Response.AddHeader to add a "Set-Cookie" header where you choose the specifics of the cookie. This is a little less robust, since you cannot make further updates. The cookie is not available until after you hit the server again. But, this is a possible approach. Example: Response.AddHeader("Set-Cookie","[MyCookie]=[MyCookieValue];Secure;HttpOnly") – SlipEternal Mar 18 '22 at 17:29
  • Obviously, if you don't want it to be secure, leave off the ";Secure;HttpOnly". You can add additional things to the cookie, like "[MyCookie]=[MyCookieValue];Path=/;SameSite=Lax;Secure;HttpOnly" – SlipEternal Mar 18 '22 at 17:31
  • @SlipEternal yes that is a good approach, just means all calls to set cookies must use a custom function, but if that is ok then it would also give you much better control (for example “secure” prefix can be added, crazy crap like “same site” can be implemented across the board) – mike nelson Mar 18 '22 at 21:13

0 Answers0