Cookies without the Secure flag set may be transmitted using HTTP instead of HTTPS. This leaves them vulnerable to being read by a third party attacker. If a sensitive cookie such as a session key is intercepted this way, it would allow the attacker to perform actions on a user's behalf.

When using ASP.NET Core, ensure cookies have the secure flag set by setting Microsoft.AspNetCore.Http.CookieOptions.Secure to true, or using CookiePolicyOptions to set a default security policy.

When using ASP.NET Web Forms, cookies can be configured as secure by default in the Web.config file, setting the requireSSL attribute to true in the forms or httpCookies element. Cookies may also be set to be secure programmatically by setting the System.Web.HttpCookie.Secure attribute to true.

In the example below, Microsoft.AspNetCore.Http.CookieOptions.Secure is set to true.

In the following example, CookiePolicyOptions are set programmatically to configure defaults.

In the example below System.Web.HttpCookie.Secure is set to true programmatically.

In the example below, the requireSSL attribute is set to true in the forms element of the Web.config file.

ASP.NET Core docs: CookieOptions.Secure Property.

MDN: Set-Cookie Header.

Web Forms docs: FormsAuthentication.RequireSSL Property.

Web Forms docs: forms Element for authentication.

Web Forms docs: httpCookies Element.

Detectify: Cookie lack Secure flag.

PortSwigger: TLS cookie without secure flag set.