When HTTP protocol is used, the traffic is sent in plaintext. It allows the attacker to see/modify the traffic (man-in-the-middle attack). HTTPS is a secure version of HTTP ? it uses SSL/TLS to protect the data of the application layer. When HTTPS is used, the following properties are achieved: authentication, data integrity.
The secure flag is an option that can be set by the application server when sending a new cookie to the user within an HTTP Response. The purpose of the secure flag is to prevent cookies from being observed by unauthorized parties due to the transmission of a the cookie in clear text.
To accomplish this goal, browsers which support the secure flag will only send cookies with the secure flag when the request is going to a HTTPS page. Said in another way, the browser will not send a cookie with the secure flag set over an unencrypted HTTP request.
By setting the secure flag, the browser will prevent the transmission of a cookie over an unencrypted channel.
Enable Secure flag using web.config:
<system.web>
<httpCookies requireSSL="true" />
<authentication mode="Forms">
<forms requireSSL="true">
/* forms content */
</forms>
</authentication>
</system.web>
Method 1: Using ini_set()
ini_set("session.cookie_secure", 1);
Method 2: Using session_set_cookie_params()
session_set_cookie_params(0, NULL, NULL, TRUE, NULL);
Method 3: Using setcookie()
setcookie("name", "value", NULL, NULL, NULL, TRUE, NULL);
Content Sniffing
Certain browsers, try to determine the content type and encoding of the response even when these properties are defined correctly...
Content Sniffing
Certain browsers, try to determine the content type and encoding of the response even when these properties are defined correctly...
Content Sniffing
Certain browsers, try to determine the content type and encoding of the response even when these properties are defined correctly...
Content Sniffing
Certain browsers, try to determine the content type and encoding of the response even when these properties are defined correctly...
