Difference between revisions of "SecureFlag"

From OWASP
Jump to: navigation, search
(Created page with '= Overview<br> = The secure flag is an option that can be set by the application server when sending a new cookie to the user within an HTTP Response. The purpose of the se…')
 
(One intermediate revision by one user not shown)
Line 1: Line 1:
 +
{{Stub}}
 +
 
= Overview<br> =
 
= Overview<br> =
  
Line 8: Line 10:
  
 
= Setting the Secure Flag<br> =
 
= Setting the Secure Flag<br> =
 +
 +
'''ASP.NET'''
 +
 +
<httpCookies requireSSL="true" />
  
 
= Testing for the Secure Flag<br> =
 
= Testing for the Secure Flag<br> =
Line 14: Line 20:
  
 
[http://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002) Testing for Cookie Attributes]<br>
 
[http://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002) Testing for Cookie Attributes]<br>
 +
http://www.troyhunt.com/2011/11/owasp-top-10-for-net-developers-part-9.html

Revision as of 17:37, 3 January 2013

This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.


Contents

Overview

The secure flag is an option that can be set by the application server when sending a new cookie to the user within an HTTP Response. The purpose of the secure flag is to prevent cookies from being observed by unauthorized parties due to the transmission of a the cookie in clear text.

To accomplish this goal, browsers which support the secure flag will only send cookies with the secure flag when the request is going to a HTTPS page. Said in another way, the browser will not send a cookie with the secure flag set over an unencrypted HTTP request.

By setting the secure flag, the browser will prevent the transmission of a cookie over an unencrypted channel.

Setting the Secure Flag

ASP.NET

<httpCookies requireSSL="true" />

Testing for the Secure Flag

Related Articles

Testing for Cookie Attributes
http://www.troyhunt.com/2011/11/owasp-top-10-for-net-developers-part-9.html