From MSDN:
When a user moves back and forth
between secure and public areas, the
ASP.NET-generated session cookie (or
URL if you have enabled cookie-less
session state) moves with them in
plaintext, but the authentication
cookie is never passed over
unencrypted HTTP connections as long
as the Secure cookie property is set.
So basically, the cookie can be passed over both HTTP and HTTPS if the Secure
property is set to false
.
I have avoided this issue by adding this to my Global.asax
file:
void Session_Start(object sender, EventArgs e)
{
if (Request.IsSecureConnection) Response.Cookies["ASP.NET_SessionID"].Secure = false;
}
This means that if the Session cookie is created over HTTP, it will only be accessible over HTTPS.