|
Home > Archive > IIS Server Security > December 2007 > How to enable "Secure" cookie ?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
How to enable "Secure" cookie ?
|
|
| Zester 2007-12-06, 1:36 am |
| Hi,
Is there a way to enable "security" cookie property? Someone mentioned to
me that we can make an application's cookie more secure that way. I assume
that it's a setting in IIS. I'm running version 6. thanks!
| |
| David Wang 2007-12-06, 1:36 am |
| On Dec 5, 5:42 pm, "Zester" <z...@nottospam.com> wrote:
> Hi,
>
> Is there a way to enable "security" cookie property? Someone mentioned to
> me that we can make an application's cookie more secure that way. I assume
> that it's a setting in IIS. I'm running version 6. thanks!
What you are asking for is specific to your application framework
(ASP, ASP.Net, PHP, etc) and actually has nothing to do with IIS.
Thus, there will never be a setting in IIS for what you are asking
for. It will always be a setting within your application framework.
IIS is an HTTP server, which is supposed to be stateless, which means
that it does not care about stateful things like cookies nor how
secure they are being used (IIS can ensure secure transport of the
cookie data, but it has no way nor reason to ensure the security of
the cookie data itself nor how that data is used).
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
| |
| Zester 2007-12-06, 1:28 pm |
| What about AspKeepSessionIDSecure property setting? Somebody briefly
suggested that it might be something related cookie security. What does it
do? thanks!
"David Wang" <w3.4you@gmail.com> wrote in message
news:b45c7e69-6389-4551-b4e4-2741d1587038@d27g2000prf.googlegroups.com...
> On Dec 5, 5:42 pm, "Zester" <z...@nottospam.com> wrote:
>
>
> What you are asking for is specific to your application framework
> (ASP, ASP.Net, PHP, etc) and actually has nothing to do with IIS.
> Thus, there will never be a setting in IIS for what you are asking
> for. It will always be a setting within your application framework.
>
> IIS is an HTTP server, which is supposed to be stateless, which means
> that it does not care about stateful things like cookies nor how
> secure they are being used (IIS can ensure secure transport of the
> cookie data, but it has no way nor reason to ensure the security of
> the cookie data itself nor how that data is used).
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
| |
| David Wang 2007-12-07, 1:36 am |
| Please clarify what you are trying to accomplish and secure. You never
indicated what sort of application you are talking about, nor what you
are trying to secure. Security is a state of awareness that is
constantly in flux and changing, not a bunch of static settings to
configure and bam everything is magically secure.
I mean, someone briefly suggested that turning off the computer may be
related to computer security. Why don't you try that as well? ;-)
You can't just ask about "cookies" and "security" in the general. For
example, AspKeepSessionIDSecure property is specific to ASP
applications and handled by ASP.DLL itself. The property is stored in
the IIS metabase, but it is not a "setting in IIS". It is not
applicable to other application frameworks like ASP.Net or PHP.
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
On Dec 6, 6:49 am, "Zester" <z...@nottospam.com> wrote:
> What about AspKeepSessionIDSecure property setting? Somebody briefly
> suggested that it might be something related cookie security. What does it
> do? thanks!
>
> "David Wang" <w3.4...@gmail.com> wrote in message
>
> news:b45c7e69-6389-4551-b4e4-2741d1587038@d27g2000prf.googlegroups.com...
>
>
>
>
>
>
>
>
> - Show quoted text -
| |
| Daniel Crichton 2007-12-17, 1:29 pm |
| Zester wrote on Wed, 5 Dec 2007 17:42:25 -0800:
> Hi,
> Is there a way to enable "security" cookie property? Someone mentioned
> to me that we can make an application's cookie more secure that way. I
> assume that it's a setting in IIS. I'm running version 6. thanks!
All this does is tell the browser to only send the cookie over SSL
connections to your site, so preventing them being sent "in the clear" - it
doesn't make them any more secure, other than preventing them being sent
over a non-SSL connection. Do you have SSL enabled? If not you won't be able
to make use of it anyway.
--
Dan
|
|
|
|
|