How to fix Session Cookie attributes not set application hosted in web app ?

$@chin 115

How to remediate the issue or vulnerability of Session Cookie attributes not being set when the application is hosted in an Azure web app behind the Azure Application Gateway with WAF ?

1 answer

Shree Hima Bindu Maganti 895 Reputation points Microsoft Vendor

2024-11-08T06:29:54.5166667+00:00
Hi @$@chin ,

welcome to the Microsoft Q&A Platform!
To remediate the vulnerability related to session cookies without secure attributes in an Azure Web App behind an Application Gateway with WAF,

Set Cookie Attributes in Code: Configure session cookies with Secure, HttpOnly, and SameSite attributes in the application code.

var cookieOptions = new CookieOptions { Secure = true, // Only send over HTTPS HttpOnly = true, // Prevent access from JavaScript SameSite = SameSiteMode.Strict // Set cross-site restriction };

Web.Config Settings (for .NET): Set cookies to require SSL and specify cookieSecure="Always" in web.config.

<system.web> <authentication mode="Forms"> <forms requireSSL="true" cookieless="UseCookies" /> </authentication> <sessionState cookieSecure="Always" /> </system.web>

Use Azure Application Gateway Rewrite Rules: Create rewrite rules in Application Gateway to add Secure, HttpOnly, and SameSite attributes if they are missing.

Enable HTTPS-Only in Azure Web App: Go to TLS/SSL settings and enable HTTPS Only.

Verify with Security Tools: Confirm session cookies have secure attributes using browser dev tools or a vulnerability scanner.
It help secure session cookies and reduce vulnerability.
If the answer is helpful, please click "Accept Answer" and kindly upvote it.
Please sign in to rate this answer.
$@chin 115 Reputation points

2024-11-08T18:27:20.2233333+00:00

Hi @Shree Hima Bindu Maganti ,

Does the configuration need to be applied at all places (app code, web app and app gateway), or is configuring one place sufficient ?

How do you configure it at the web app using ASP.NET 4.8?
How do you configure it at the Application Gateway ? What values need to be defined ? attached the screenshot of app gw.

Shree Hima Bindu Maganti 895 Reputation points Microsoft Vendor

2024-11-11T01:01:38.6566667+00:00

Hi @$@chin ,

Thankyou For Your Response
To set secure attributes on session cookies, the configuration can be applied either in the application code or at the Application Gateway, but implementing it at the application level is recommended for consistency.
In ASP.NET 4.8 Code (Web App)

Add this to web.config to enforce secure cookie attributes:

<system.web> <authentication mode="Forms"> <forms requireSSL="true" cookieless="UseCookies" /> </authentication> <sessionState cookieSecure="Always" /> </system.web>

In Azure Application Gateway (App Gateway)

Create a rewrite rule to add secure cookie attributes:

Rewrite type: Set

Action type: Insert or Overwrite

Header name: Set-Cookie

Header value: Secure; HttpOnly; SameSite=Strict

This configuration ensures cookies are secure across your app.
In the attached screenshot, you would add a new header with values:

Header name: Set-Cookie

Header value: Secure; HttpOnly; SameSite=Strict

Shree Hima Bindu Maganti 895 Reputation points Microsoft Vendor

2024-11-12T02:40:00.9133333+00:00

Hi @$@chin ,

Following up to see if you have chance to check my previous response and help us with requested information to check and assist you further on this.

Shree Hima Bindu Maganti 895 Reputation points Microsoft Vendor

2024-11-13T00:43:17.08+00:00

Hi @$@chin ,

Following up to see if you have chance to check my previous response and help us with requested information to check and assist you further on this.

$@chin 115 Reputation points

2024-11-13T18:37:35.65+00:00

Hi,

I have multiple listeners in the App Gateway. However, I would like to apply this change to a selected listener only. Is this something that can be configured specifically for a listener ?

Shree Hima Bindu Maganti 895 Reputation points Microsoft Vendor

2024-11-15T04:39:36.33+00:00

Hi @$@chin ,
Thankyou for your Response.
Yes, you can apply rewrite rules to a specific listener in Azure Application Gateway. Here’s how to do it:

Navigate to Rewrite Rules:

Go to your Application Gateway in the Azure portal.

Select Rewrite under the settings.

Create a Rewrite Set:

Add a new Rewrite Set with the desired configuration for the Set-Cookie header.

Associate Rewrite Set with a Specific Listener:

Go to Listeners and select the specific listener you want to apply the rule to.

In the Listener settings, find the Rewrite Set option.

Associate the newly created rewrite set with this listener.
Let me know for any further assistances.

Shree Hima Bindu Maganti 895 Reputation points Microsoft Vendor

2024-11-18T01:05:06.1666667+00:00

Hi @$@chin ,

Following up to see if you have chance to check my previous response and help us with requested information to check and assist you further on this.

More, Rajat 0 Reputation points

2024-11-18T10:25:43.76+00:00

Hi @Shree Hima Bindu Maganti ,

In my scenario this has been highlighted, could you please suggest for the below mentioned observation.

Session Cookie attributes not set: It was observed that the application does not set ‘Path’ and ‘Same site’ attributes for its session cookies.

If we have to create a Rewrite Rule what will the Rewrite type value, Common Header and Header Value.

Shree Hima Bindu Maganti 895 Reputation points Microsoft Vendor

2024-11-18T15:52:36.2633333+00:00

Hi @More, Rajat ,
Since this is a different customer, it would be best if you open a new thread. This will help us track each case separately and ensure more effective follow-up and resolution.

Shree Hima Bindu Maganti 895 Reputation points Microsoft Vendor

2024-11-19T01:25:49.6133333+00:00

Hi @$@chin ,

Following up to see if you have chance to check my previous response and help us with requested information to check and assist you further on this.

Shree Hima Bindu Maganti 895 Reputation points Microsoft Vendor

2024-11-20T01:55:02.8366667+00:00

Hi @$@chin ,

Following up to see if you have chance to check my previous response and help us with requested information to check and assist you further on this.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

How to fix Session Cookie attributes not set application hosted in web app ?

1 answer

Your answer