Nagaraj S

Nagaraj S

  • 962
  • 813
  • 3.3k

Session value is not retained when httpCookies requireSSL="true"

Mar 11 2021 1:24 PM
Dear All,
 
We have a website(web-forms) developed with Asp.Net 4.0 . It can be accessed with two domain names one with HTTPS and other with HTTP (non-ssl)
 
Recently for our website, we did the dynamic security scan, it given the result few security issues and to fix those issues we have added the below settings in the web config file.
  1. <system.web>  
  2. <httpCookies requireSSL="true" />  
  3. </system.web>  
  4. <system.webServer>  
  5. <httpProtocol>  
  6. <customHeaders>  
  7. <add name="X-Frame-Options" value="SAMEORIGIN" />  
  8. <add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains"/>  
  9. <add name="X-XSS-Protection" value="1; mode=block" />  
  10. <add name="X-Content-Type-Options" value="nosniff" />  
  11. <add name="Content-Security-Policy" value="default-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; frame-ancestors 'self'" />  
  12. </customHeaders>  
Due to these changes, we are facing an issue with the domain name that doesn't have SSL, the issue is that the website doesn't retain the SESSION values. However, the domain name with SSL is working fine.
 
My observation is,
 
The website doesn't reported any issue when we checked in the local host server(Without SSL) but only in the production it exhibits such issue with the domain that doesn't have SSL.
Please help me to solve this issue.

Answers (1)