7.4 Secure session cookie

The session cookie mechanism is built into IIS, and is therefore a web infrastructure issue rather than an application issue.

You can configure IIS to add Secure and HttpOnly attributes to the cookie:

• The Secure attribute on the cookie tells the browser to send the cookie only when https (TLS) is used.

• The HttpOnly attribute on the cookie tells the browser to prevent client side script code from accessing the cookie.

7.4.1 Implementation

For the Secure attribute to work for session cookies, TLS must be configured, and the MyID and MyIDProcessDriver applications in IIS must have been configured (under SSL Sessions) to Require SSL.

To configure IIS to add the Secure attribute to the sessions cookie:

1. Configure the IIS property KeepSessionIdSecure.

   This is shown in the IIS interface under ASP>Session Properties as New ID On Secure Connection.

   This option also means that if you switch between HTTP and HTTPS you get a new session cookie.

   Note: This property defaults to true.

Apart from the session cookie, MyID does not set cookies in response headers. To configure IIS to use HttpOnly session cookie:

1. Install URL Rewrite from Microsoft's iis.net website:

   www.iis.net/downloads/microsoft/url-rewrite

2. Edit the web.config file for the following IIS applications:

   • MyID – by default, the web.config file is in the following folder:

     C:\Program Files\Intercede\MyID\Web\

   • MyIDProcessDriver – by default, the web.config file is in the following folder:

     C:\Program Files\Intercede\MyID\SSP\MyIDProcessDriver

   • MyIDDataSource – by default, the web.config file is in the following folder:

     C:\Program Files\Intercede\MyID\SSP\MyIDDataSource

   If the web.config file does not exist, you must create it. If the file already exists, merge the additional changes below into the existing content.

   Edit each web.config file so that it contains the following content.

   Copy

   <configuration>
     <system.webServer>
       <rewrite>
         <outboundRules>
           <rule name="Add HttpOnly" enabled="true">
             <match serverVariable="RESPONSE_set_cookie" pattern=".*" />
             <action type="Rewrite" value="{R:0}; HttpOnly" />
             <conditions>
               <add input="{RESPONSE_set_cookie}" pattern="; HttpOnly" negate="true" />
               <add input="{RESPONSE_set_cookie}" pattern="." />
             </conditions>
           </rule>
         </outboundRules>
       </rewrite>
     </system.webServer>
   </configuration>
   

3. For the web.config file in the MyIDProcessDriver folder, make the following additional change:

   • Under the <system.web> section, ensure the following node is present:

     <httpCookies httpOnlyCookies="true" requireSSL="true" />

7.4.2 Recommendations

Make sure that KeepSessionIdSecure has not been changed from the default.

For all systems, edit the web.config file to set HttpOnly.