The "secure" cookie flag dictates t

The "secure" cookie flag dictates that the value of the cookie should only be sent over (unspecified) secure means. In practice this has come to mean over SSL. This is critical in keeping session cookies safe from prying eyes. If the user-agent does not send a sensitive session cookie over HTTP, an attacker would have to look at other means of stealing this cookie.

Turns out this requirement does not apply to the initial "set-cookie" response sent from the server to the client, so an attacker can just look for the set-cookie header and hijack the session of the victim. I understand this is not part of RFC 2109 but this helps defeat a lot of the benefits of the "secure" flag.

I tested this out in ASP.NET v1.1 and confirmed that ASP.NET does not ensure that the response from the server is encrypted.


I can confirm that in v1.1 issuing secure cookies DOES NOT enforce the initial issuance occurs on a secure connection. To address your concern of being incompatible a new flag could be added to the HttpCookie class.

This problem is not present in v2.0 but could you guys please fix this in v1.1?

All the .NET code I perform security reviews on is written in 1.1.