Click here to Skip to main content
15,611,246 members
Articles / Web Development / ASP.NET
Posted 30 Nov 2007


23 bookmarked

Transparent Cookie Encryption Via HTTP Module

Rate me:
Please Sign up or sign in to vote.
3.54/5 (7 votes)
5 Jul 2009CPOL4 min read
A C# HTTP module that encrypts and decrypts cookies transparently to an application


This HTTP module allows cookies to be encrypted/decrypted without any change to the Web application making use of the cookies. It effectively bolts on cookie encryption to .NET applications that may not originally have included it.

Using the Code

The solution contains two projects:

  1. CookieEncryptionModule - This is the HTTP module class library that does the actual work.
  2. CookieEncryptionTestWeb - This is a Web project that has been "wired up" to use the HTTP module.

Using the module is as simple as dropping the CookieEncryptionModule.dll file into the Web application bin folder and adding a reference to the httpModules section in the web.config file (see test project). There are various web.config settings (optional) that control how the module handles cookies:

  • CookieEncryptionModule_CookieList: This is a delimited list of cookie names.
  • CookieEncryptionModule_Separator: This is a single character that is used to delimit cookie names in CookieEncryptionModule_CookieList.
  • CookieEncryptionModule_HandleOrIgnoreCookieList: This determines whether CookieEncryptionModule_CookieList is inclusive or exclusive.
    • Handle - Only cookies in the list will be encrypted
    • Ignore - Only cookies not in the list will be encrypted
  • CookieEncryptionModule_UnencryptedCookiePolicy: This specifies how to handle expiration of unencrypted persistent cookies that are now identified as requiring encryption. Since only the cookie name and value are sent in the request, the expiration date/time must be reset to encrypt it.
    • Ignore - The cookie will not be encrypted unless it is reset by the application.
    • Clear - The cookie will be deleted before the application sees it.
      Note: This removes it from the request but not from the client.
    • Session - The cookie will be converted to a session cookie.
    • Never - Expiration set to 01/01/2099.
    • yy,dd,hh,mm,ss - An expiration of yy years, dd days, hh hours, mm minutes and ss seconds will be set.

If these are not specified, then the application defaults to encrypting all cookies and removing unencrypted cookies from the request.

Using the Test Website

Since the encryption and decryption of cookies is transparent to the application, you need to look at the cookies directly either through the browser's "View Files" (Internet Explorer) or "Show Cookies" (Firefox) option or by using a tool such as Fiddler 2 Web proxy or the Internet Explorer Developer Toolbar. As an example, to see the way unencrypted cookies are handled:

  1. Open the solution, set CookieEncryptionTestWeb as the startup project and CookieEncryptionTester.aspx as the start page.
  2. Remove TestCookie2 and the separator (|) from the CookieEncryptionModule_CookieList value in the web.config and save the change.
  3. Delete any previous TestCookie values from your browser cache and run the project. The test Web page should show No Cookie for all 4 values as this is populated from cookies sent with the request.
  4. Check the cookies now stored on disk and you should see an unencrypted TestCookie2 and an encrypted TestCookie4. There should be no entry for TestCookie1 or 3 as these are session cookies.
  5. Reverse the change made to the web.config in step 2 so that TestCookie2 is marked as a cookie that requires encryption. Press the Submit button on the test Web page.
  6. Check the cookies now stored on disk and you should see that TestCookie2 is encrypted and has an expiry date 1 year in the future (as specified by the web.config value for CookieEncryptionModule_UnencryptedCookiePolicy).
  7. Remove TestCookie2 and the separator (as step 2) and press the Submit button.
  8. The Web page should now show the encrypted value of TestCookie2 as it is no longer marked as an encrypted cookie.

Points of Interest

I have attempted to ensure that the module defaults to its most secure settings (all cookies encrypted, unencrypted cookies removed from the request) if there are any problems or if the web.config doesn't contain valid settings.

I opted to use the built-in FormsAuthenticationTicket to handle the encryption. This was on the basis that since it is used for forms authentication, it is already optimised for use in this process. However, there should be no problem with replacing this with a custom encryption handler.

There is a hard-coded list (NeverProcessTheseCookies) of cookies that should never be touched. This contains the session cookie by default. If your application uses forms authentication and you want the web.config to specify cookies to be encrypted (rather than ignored), then add the authentication cookie name to this list. If, in the web.config, you are specifying cookies to be ignored then you can add the forms authentication cookie there.

The Value property that is displayed appears to be generated by combining the key/value pairs in the Values collection. If you set the Value property directly, e.g. MyCookie.Value="Test"; this creates a new NameValueCollection with a pair (null, "Test") at position zero. The HasKeys property is only set to true if the Values collection contains non-null keys.


  • 9th December, 2007
    • Added notes on using the test Web application
    • Modified constructor to assign ApplicationUnencryptedCookiePolicy only if everything is OK
    • Modified constructor to use string constant for Handle/Ignore test
  • 10th December, 2007
    • Corrected change to ApplicationUnencryptedCookiePolicy in constructor
  • 4th July, 2009
    • Modified cookie decryption to correctly handle multi-value cookies (thanks to Ryan Salt for the heads up)
    • Modified the test application to demonstrate multi-value cookies


This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Written By
Web Developer
United Kingdom United Kingdom
This member has not yet provided a Biography. Assume it's interesting and varied, and probably something to do with programming.

Comments and Discussions

GeneralMy vote of 2 Pin
AbdullaMohammad30-Jul-12 1:05
AbdullaMohammad30-Jul-12 1:05 
GeneralProblem with cookie keys Pin
Ryan Salt19-Jun-09 5:10
Ryan Salt19-Jun-09 5:10 
GeneralRe: Problem with cookie keys Pin
Ryan Salt19-Jun-09 6:14
Ryan Salt19-Jun-09 6:14 
GeneralRe: Problem with cookie keys [modified] Pin
Phil 1014-Jul-09 5:40
Phil 1014-Jul-09 5:40 
Generalview cookies Pin
vbytesdc5-May-09 14:07
vbytesdc5-May-09 14:07 
GeneralRe: view cookies Pin
Phil 1017-May-09 19:05
Phil 1017-May-09 19:05 
GeneralGreat article Pin
chrislively30-May-08 7:15
chrislively30-May-08 7:15 
NewsNote: Problems Uploading Updated Code [modified] - Problem Resolved Pin
Phil 10110-Dec-07 10:25
Phil 10110-Dec-07 10:25 
GeneralSessionID cookie Pin
Richard Deeming10-Dec-07 6:56
mveRichard Deeming10-Dec-07 6:56 
QuestionUsing the test web site - Section Added Pin
Phil 1019-Dec-07 8:00
Phil 1019-Dec-07 8:00 
GeneralI Second Wimmo Pin
Jeffrey Walton4-Dec-07 23:56
Jeffrey Walton4-Dec-07 23:56 
GeneralNice but Pin
Wimmo1-Dec-07 4:46
Wimmo1-Dec-07 4:46 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.