SessionAuthenticationModule Cookie Handler not creating HttpOnly secure cookie

5
votes

I am using System.IdentityModel to authenticate users in an ASP.NET MVC4 web application using forms auth with a claims principal. (code based on this article: http://brockallen.com/2013/01/26/replacing-forms-authentication-with-wifs-session-authentication-module-sam-to-enable-claims-aware-identity/)

My ClaimsBasedAuthenticationService class issues the SAM cookie from the SessionSecurityToken, and all has been well...except that I just now noticed that it is not creating the session cookies as HTTPOnly or requiring them to require SSL. When I debug the code, I can see those properties on the CookieHandler object are set correctly in the debugger, but the final session cookie that is created simply doesn't have the HTTPOnly and Secure flags marked.

I have the web.config lines to set these to true explicitly as such:

<system.web>
  <httpCookies httpOnlyCookies="true" requireSSL="true" />
  <authentication mode="Forms">
     <forms ... requireSSL="true" />
  </authentication>
 ...
</system.web>
<system.identityModel.services>
  <federationConfiguration>
    <cookieHandler requireSsl="true" hideFromScript="true" />
  </federationConfiguration>
</system.identityModel.services>

Can someone tell me if there's something else I am missing in order for my FedAuth cookies to be hidden from script (HTTPOnly) and require SSL?

2
asp.net-mvc-4forms-authenticationsession-cookieswifclaims-based-identity
someone suggested adding the attribute lockItem="true" to the httpCookies element, but that didn't do anything.Thiago Silva

2 Answers

0
votes

I am using the same implementation and do not see your issue using Fiddler2. However maybe the issue is related to your debugging tool? In IE10 debugging tools the secure and http only flags are only displayed when the cookies are first received. If you check using Chrome debugging tools you should see the flags displayed correctly on all requests.

0
votes

Did you get this working? I've been using basically the same code and it's all fine.

I can't see that the following suggestions have anything to do with anything, but the only things I can suggest, are to set the cookie lifetime

<cookieHandler hideFromScript="true" requireSsl="true" persistentSessionLifetime="30" />

<forms loginUrl="/Whereever" timeout="30" requireSSL="true" />

and

<system.webServer>
  <modules>
    <add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
  </modules>
</system.webServer>