How to fix: Cookie does not have secure attribue in HTTPS Cookie does not have an HTTPOnly Attribute

The scan is reporting that the _uetsid cookie created by Microsoft Advertising UET is missing the Secure and HttpOnly attributes. To address this, configure the application so that all cookies are marked as secure and HttpOnly by default, and ensure the site is always accessed over HTTPS.

Key points from the security guidance:

1. Mark cookies as Secure when using HTTPS
   Cookies created over HTTPS are still sent over HTTP unless the Secure attribute is set. The Secure flag tells the browser to send the cookie only over HTTPS. For ASP.NET applications this can be enforced globally in web.config:

      <configuration>
        <system.web>
          <httpCookies requireSSL="true" />
        </system.web>
      </configuration>
   

   This forces the Secure attribute on all cookies, including current and future ones. Note that if the site is still reachable over plain HTTP, this setting will break those HTTP requests because the browser will not send secure cookies over HTTP. The site must be served only over HTTPS.
2. Mark cookies as HttpOnly
   The HttpOnly attribute prevents client-side script from reading the cookie, which mitigates cookie theft via XSS. For ASP.NET applications, configure this globally in web.config:

      <system.web>
        ...
        <httpCookies httpOnlyCookies="true" requireSSL="true" />
      </system.web>
   

   This sets HttpOnly for all cookies by default. For individual cookies created in code, ensure HttpCookie.HttpOnly is set to true:

      using System.Web;
      
      HttpCookie httpCookie = new HttpCookie("cookieName");
      httpCookie.HttpOnly = true;
      // httpCookie.Secure is controlled by requireSSL above
   

3. When cookies are created by frameworks or middleware
   If the application uses ASP.NET Core, configure cookies to be secure by default using cookie policy middleware, for example:

      public class Startup
      {
          public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
          {
              app.UseCookiePolicy(
                  new CookiePolicyOptions
                  {
                      Secure = CookieSecurePolicy.Always
                  });
          }
      }
   

   This ensures cookies are always marked secure; combine with HttpOnly configuration on the specific cookie types (authentication, session, etc.).
4. Client-side cookies and third-party scripts
   The scan notes that the cookie change is observed on the client side. If the UET script is setting cookies via JavaScript, the HttpOnly flag cannot be applied (HttpOnly cookies are not accessible to script by design). In that case, focus on:
   • Ensuring the site is HTTPS-only and that cookies are at least marked Secure where possible.
   • Ensuring no sensitive data is stored in client-side cookies set by analytics/advertising scripts.
   For cookies that must be script-accessible (for tracking), HttpOnly is not applicable; instead, mitigate via strong XSS protections and by not storing sensitive data in those cookies.
5. Caching headers
   For responses that carry sensitive cookies (for example, authentication cookies), configure appropriate cache headers to prevent caching in shared caches. This is part of the general recommendation but is separate from the Secure/HttpOnly flags.

In summary, fix the scan findings by enforcing requireSSL="true" and httpOnlyCookies="true" (or equivalent in ASP.NET Core) so that all server-controlled cookies are Secure and HttpOnly, ensure the site is HTTPS-only, and verify that any UET or other third-party cookies do not contain sensitive data and are at least marked Secure when possible.

References:

• Applications available over HTTPS must use secure cookies
• All http based application should specify http only for cookie definition
• CA5396: Set HttpOnly to true for HttpCookie
• CA5383: Ensure use secure cookies in ASP.NET Core