Missing Secure Attribute in Session Cookie

Asked Jul 15 '14 at 17:54

Active Jul 16 '14 at 06:25

Viewed 695 times

Hi I am working on the asp.net website. I am using session to keep user logged in. The site was working perfectly until I had to add

<system.web> <httpCookies httpOnlyCookies="true" requireSSL="true" lockItem="true" /> </system.web>

in web.config.

As the auditor reported vulnerability "Missing Secure Attribute in Session Cookie". The site is just not retrieving the session being set after adding above code in web.config.

I am getting error:

Session state can only be used when enableSessionState is set to true, either 
in a configuration file or in the Page directive. Please also make sure that 
System.Web.SessionStateModule or a custom session state module is included in the 
<configuration>\<system.web>\<httpModules> section in the application configuration.

I tried adding enableSessionState to my pages tag in web.config

<pages enableViewStateMac="true" viewStateEncryptionMode="Always" enableEventValidation="true" enableSessionState="true">

Any help would be appriciated. Thanks in advance.

edited Jul 16 '14 at 06:25

asked Jul 15 '14 at 17:54

Arti

2,993
11
68
121

1

Did you check that the ASP.NET Session State Manager Service service is running? – Amit Kumar Jul 15 '14 at 18:47
I am running the website locally. I have not published the website on IIS. Also it works if I remove tag from web.config – Arti Jul 16 '14 at 04:23

Missing Secure Attribute in Session Cookie

0 Answers0