Roman Clarkson

<< Term Paper: How My View of Myself as a Professional Practitioner Changes as a Result of Term I | Thought Paper: On what “create”, “creative”, and “creativity” mean to me. >>

Home > .Net, Tips and Tricks

Securing http cookies without changing your base code

6. January 2009

Comments (11)

I came across a situation where a ASP.Net 1.1 application had a security scan done and one of the issues that came back was the fact that the cookies were not marked secure. Not a major issue. However, if you have a product base that is customized many times over, how do you change everything in production without wasting a lot of time and resources. The goal is to not modify the existing code for any of the product bases, create complete http cookie coverage, and simplify the testing and redeployment of a single assembly.

Interested in the fix?

Here is what I came up with....

An HttpModule. My HttpModule reads every cookie coming in and out, marks them as secure, sets and expiration time and forces it to http only. Basically, everything that needed to be done and more to the cookies in order to satisfy the security scans. Below is all the code we needed to create the http module.

using System;
using System.Web;

namespace Jaws.Core.Web
{
    public class SecureCookies : IHttpModule
    {
        #region Implementation of IHttpModule

        /// <summary>
        /// Initializes a module and prepares it to handle requests.
        /// </summary>
        /// <param name="context">An <see cref="T:System.Web.HttpApplication" /> that provides access to the methods, properties, and events common to all application objects within an ASP.NET application </param>
        public void Init(HttpApplication context)
        {
            context.PreRequestHandlerExecute += SecureAllCookies;
            context.PreSendRequestContent += SecureAllCookies;
        }

        /// <summary>
        /// Disposes of the resources (other than memory) used by the module that implements <see cref="T:System.Web.IHttpModule" />.
        /// </summary>
        public void Dispose()
        {
            //Nothing to Dispose of at this point.
        }

        private static void SecureAllCookies(object sender, EventArgs e)
        {
            var context = (sender as HttpApplication);

            if (context != null)
            {
                foreach (string cookie in context.Request.Cookies)
                {
                    context.Request.Cookies[cookie].Secure = true;
                    context.Request.Cookies[cookie].Expires = DateTime.Now.AddMinutes(10);
                    context.Request.Cookies[cookie].HttpOnly = true;
                }
            }
        }

        #endregion
    }
}

7da1fa02-8d82-41d2-9b71-f7ef0b711067|0|.0

.Net, Tips and Tricks

Ping Services for blogsHere is a list of ping services that I use with BlogEngine. I know some are redundant but I li...Syntax Highligting on Server Side (aka Code Format Rendering)Here is the code being used as and Extension to render code. The format is [code:lang;ln=on|off;al...Attach a MDF file without the LDF A friend asked me about this and here where two answers. We used the first one listed first...

Comments

cash advance toronto

7/11/2010 1:43:17 AM #

Safe answer ;)

jobs food science

7/12/2010 10:50:36 AM #

This is a great web site. Good sparkling UI and very informative articles. I will be coming back soon, thanks for the great article.

information

7/13/2010 2:51:23 AM #

http://www.mychuckwebsthenet.info/

amazon coupons

7/14/2010 10:02:36 PM #

amazon coupon codes

lenen zonder bkr toetsing

7/15/2010 10:51:22 AM #

U wilt geld lenen zonder BKR toetsing? De opties hiervoor worden groter, kijk verder en ontdek hoe u wél geld kunt lenen, snel & eenvoudig.

migraine

7/25/2010 9:31:50 AM #

Migraine | Voedingscentrum, eerlijk over eten Een migraine-aanval ontstaat door een te heftige reactie op bepaalde prikkels. Welke prikkel een aanval kan uitlokken, verschilt van persoon tot persoon.

Food Industry Jobs

7/26/2010 1:23:52 AM #

Do you have problems with spammers? I also use Blog Engine and I have some good anti-spam techniques; please Email me if you are interested in an exchange of practices.