---
title: Set Secure Flag On Session Cookies
impact: HIGH
impactDescription: prevents cookie theft over HTTP
tags: cookies, session, https, security, csharp
---

## Set Secure Flag On Session Cookies

Session cookies must only be sent over HTTPS.

**Incorrect (missing secure):**

```csharp
Response.Cookies.Append("session", token); // Defaults to Secure=false often
```

**Correct (Secure=true):**

```csharp
var options = new CookieOptions
{
    Secure = true, // Only HTTPS
    HttpOnly = true
};
Response.Cookies.Append("session", token, options);

// Global Policy
services.Configure<CookiePolicyOptions>(options =>
{
    options.Secure = CookieSecurePolicy.Always;
});
```

**Tools:** Browser DevTools, OWASP ZAP