ASP.NET: Failure To Require SSL For Authentication Cookies
Description
The ASP.NET application's forms authentication configuration does not enforce SSL/TLS for authentication cookies. When the requireSSL attribute is not set to true in the <forms> element, authentication cookies can be transmitted over unencrypted HTTP connections. This allows the cookies to be intercepted by attackers monitoring network traffic, even if the login page itself uses HTTPS.
Remediation
Configure ASP.NET forms authentication to require SSL/TLS for all authentication cookies by setting the requireSSL attribute to true in the <forms> element within your web.config file. This ensures that authentication cookies are only transmitted over encrypted HTTPS connections and will include the Secure flag, preventing browsers from sending them over unencrypted HTTP.
Example Configuration:
<configuration>
<system.web>
<authentication mode="Forms">
<forms loginUrl="~/Login.aspx"
requireSSL="true"
slidingExpiration="true"
timeout="30" />
</authentication>
</system.web>
</configuration>Additional Steps:
1. Ensure your entire application is accessible via HTTPS
2. Implement HTTP to HTTPS redirects to prevent accidental unencrypted access
3. Consider enabling HSTS (HTTP Strict Transport Security) headers to enforce HTTPS at the browser level