Following are some of the security practices for secure transmission of session cookies between web server and client.

• If its a commercial website, then install SSL for secure communication.
• Generate unpredictable Random characters for the sessionID value.
• Avoid incremental or time based session cookie values.
• Issue or generate session cookie after successful authentication only.
• Never generate cookies as Persistent cookies on the users hard disk.
• Set the “SECURE” flag for the session cookie which means cookies will be transmitted over SSL only.
• Set the Path and Domain of session cookies.
• Never store or pass session information in URL and Hidden Fields.

Tags: ASP.Net, IIS, Security, SSL