Using Cookies in ASP.NET

Secure cookies with web.config in .NET

<system.web>

<httpCookies httpOnlyCookies="true|false" requireSSL="true|false" domain=".domain.com" sameSite="None|Lax|Strict|Unspecified" />

</system.web>

When a cookie that has HttpOnlyCookies set to true is received by a compliant browser, it is inaccessible to client-side script.

Setting the sameSite attribute value to either of the Strict, Lax or None enumeration values will cause a SameSite attribute to be appended on all cookies of your application that are not Authentication or Session related. Cookies marked with SameSite=None will only be sent back to the server if marked as secure and if the connection between client and server is a secure connection.

Creating an encrypted cookie with integrity:

HttpCookie cookie = new HttpCookie(name, val);

HttpCookie encodedCookie = HttpSecureCookie.Encode (cookie);

Decrypting and validating an encrypted cookie:

– HttpSecureCookie.Decode (cookie);