I'm trying to write a cookie in ASP.NET under https, but I see a plain text cookie in the client machine. Shouldn't the cookie be encrypted by default under an https connection?
Asked
Active
Viewed 1,063 times
5 Answers
10
Short answer is no, cookies are not encrypted in ASP.NET under SSL. SSL is a transport-level protocol, encrypting only the communications between the client and server. Cookies and query-string values are NOT encrypted by SSL. Once the cookie is on the client machine, it is left in whatever format it left the server in.
Josh E
- 7,390
- 2
- 32
- 44
-
I found it amazing that with a secured connection the details saved in a cookie are still plaintext on the client device. I had assumed they would be encrypted also. – Martin Aug 29 '18 at 18:45
8
Your cookie will only be encrypted during transmission of the cookie to/from your browser. If you want the cookie to be encrypted in the browser's cookie store, you'd need to encrypt it on the server first and then decrypt on the server upon use in server side scripts.
SSL/TLS is just a transport security mechanism to encrypt requests/responses on the wire, it is up to the browser to provide a mechanism to store cookies securely on the client (or as mentioned above, your application can do this).
Kev
- 118,037
- 53
- 300
- 385
1
Nope, AFAIK only the transfer is encrypted, the cookie on the client side isn't. You should encrypt it yourself for better security.
instanceof me
- 38,520
- 3
- 31
- 40
0
If you just updated Django from version 2 to 3 and something with your cookies looks wrong, check django.contrib.messages.storage.cookie.CookieStorage._decode
Cookies are now "signed". If you want to directly access them, you need to _decode() them.
Chris
- 5,788
- 4
- 29
- 40
