I have an ASP.NET webforms/mvc hybrid app deployed on IIS 10. I have two bindings for this app one with just a localhost:portNo binding and another with DNSDomainName:portNo binding. Both are Http bindings. SSL is turned off. I get the error
"This attempt to set a cookie via a Set-Cookie was blocked because it had the "Secure" attribute but was not received over a secure connection."
when I test the DNSDomainName:portNo binding (it is failing to set sessions). The localhost:portNo binding works without any issues. Why is this happening? and how do I fix this?
CodePudding user response:
Your cookies are configured to require an HTTPS connection. When you try to set them on a non-secure connection, they will be rejected.
Check your web.config file settings for:
<httpCookies requireSSL="true" />
Change that setting to false, and your session cookies should start working.
NB: Once you publish your site, it should only ever be served over HTTPS, and this setting should be changed back to true.
Secure Cookie Attribute | OWASP Foundation
The localhost binding works because most browsers have special-case code to treat connections to that host name as "secure", even if they don't use HTTPS.
Locally-delivered resources such as those with
http://127.0.0.1URLs,http://localhostandhttp://*.localhostURLs (e.g.http://dev.whatever.localhost/), andfile://URLs are also considered to have been delivered securely.
Secure contexts - Web security | MDN