Search

HttpCookie "secure" flag should enforce SSL by J. Hayre

Closed
as Won't Fix Help for as Won't Fix

2
Sign in to vote
0
Sign in to vote
Sign in
 to vote
Type: Suggestion
ID: 103116
Opened: 1/1/2006 3:47:17 PM
Access Restriction: Public
Duplicates: 103115
0
Workaround(s)
The "secure" cookie flag dictates that the value of the cookie should only be sent over (unspecified) secure means. In practice this has come to mean over SSL. This is critical in keeping session cookies safe from prying eyes. If the user-agent does not send a sensitive session cookie over HTTP, an attacker would have to look at other means of stealing this cookie.

Turns out this requirement does not apply to the initial "set-cookie" response sent from the server to the client, so an attacker can just look for the set-cookie header and hijack the session of the victim. I understand this is not part of RFC 2109 but this helps defeat a lot of the benefits of the "secure" flag.

I tested this out in ASP.NET v1.1 and confirmed that ASP.NET does not ensure that the response from the server is encrypted.
Details (expand)
Product Language
English
Version
Visual Studio 2005
Category
Other
Operating System
Windows Server 2003
Operating System Language
English
Proposed Solution
Because developers are not aware of this detail it would be a good idea to have the framework ensure that the initial "set-cookie" header for any "secure" marked cookies are sent from the server to the client over SSL.
Benefits
Improved Security
Other Benefits
Improved Security
File Attachments
0 attachments
Sign in to post a comment.
Posted by Microsoft on 1/10/2006 at 5:02 PM
Thank you for your suggestion. We'll assign it to the appropriate feature area and evaluate it for a future release. Because we're still early in the product cycle, you may not hear back from us for some time but we'll contact you if we have questions and will let you know the final status of your suggestion.

The Web Platform & Tools Team
Posted by Microsoft on 1/19/2006 at 5:42 PM
Now that Visual Studio 2005 has shipped we're in the planning stages for our next release. As part of our normal planning process we are going through and re-evaluating all bugs that were postponed for Visual Studio 2005. We re-reviewed this bug as part of that process.

To ensure that applications developed with Visual Studio 2005 will continue to work well with our next release, we are refraining from making changes that would break compatibility with Visual Studio 2005. Based on our investigation, we feel that changing the behavior of HttpCookie would cause unexpected behavior in both 1.1 and 2.0 applications. Note that ASP.NET features that support issuing secure cookies do enforce the initial issuance occurs on a secure connection. As a result we are resolving this suggestion as “Won’t Fix”.

We very much value your comments and look forward to further feedback from you in the future.
Posted by J. Hayre on 1/24/2006 at 2:59 PM
I can confirm that in v1.1 issuing secure cookies DOES NOT enforce the initial issuance occurs on a secure connection. To address your concern of being incompatible a new flag could be added to the HttpCookie class.

This problem is not present in v2.0 but could you guys please fix this in v1.1?

All the .NET code I perform security reviews on is written in 1.1.
Posted by J. Hayre on 2/12/2006 at 8:38 PM
In .NET 1.1 (using VS 2003) developers can create HttpCookies, mark them secure and the framework will NOT enforce SSL. As proof, run the following code in ASP.NET 1.1:

     HttpCookie myCookie = new HttpCookie("currDate",System.DateTime.Now.ToString());    
     myCookie.Secure = true;
     Response.Cookies.Add(myCookie);

And run this code over HTTP. The server WILL send back the "set-cookie" header over HTTP. The desired behavior would be a readonly property (possibly called "requireSSL") which would be set to yes when the Secure flag is set to 'true'. Currently, a fix for this issue does not exist. I know MS has released VS 2005 and .NET 2.0 but attention must still be payed to 1.1. This might be an inconvenience, but it should be added.

Posted by Microsoft on 2/13/2006 at 5:34 PM
ASP.NET 2.0 features that issue cookies enforce the suggested protection (i.e. don't send the initial cookie unless running under SSL). However, building in functionality to broadly apply this restriction would be a breaking change with the potential to cause errors for existing sites that are not correctly securing the initial cookie issuance. As noted earlier, we feel that changing the behavior of HttpCookie would cause unexpected behavior in both 1.1 and 2.0 applications and as a result we are resolving this suggestion as “Won’t Fix”.

Thank you for your feedback,
-The Web Platform and Tools Team
© 2010 Microsoft Corporation. All rights reserved. Microsoft Connect Terms of Use | Trademarks | Privacy Statement