c# - Secure Authentication cookie Asp.Net -
i have 2 page p1.aspx(login page) , p2.aspx(redirect page), both configured ssl. in p1.aspx created authentication cookie "secure" property set "true" , added in response object of p1.aspx.
but when page redirected p2.aspx p1.aspx,the authentication cookie in p2.aspx request shows cookie's "secure" property "false". not getting why "secure" property set "false" in requests cookie.
if checking secure on server side, won't true, because browser doesn't send attribute back. if check in chrome devtools, can find cookie has secure = true.
here quote wiki:
besides name–value pair, servers can set these cookie attributes: cookie domain, path, expiration time or maximum age, secure flag , httponly flag. browsers not send cookie attributes server. send cookie’s name-value pair. cookie attributes used browsers determine when delete cookie, block cookie or whether send cookie (name-value pair) servers.
so it's totally fine don't secure attribute in request, , has in response when send it. browser don't send in each request, still utilize anyway, , if request wont https, browser won't utilize cookie
c# asp.net security authentication cookies
No comments:
Post a Comment