How to secure the ASP.NET_SessionId cookie?
Here is a code snippet taken from a blog article written by Anubhav Goyal:
// this code will mark the forms authentication cookie and the
// session cookie as Secure.
if (Response.Cookies.Count > 0)
{
foreach (string s in Response.Cookies.AllKeys)
{
if (s == FormsAuthentication.FormsCookieName || "asp.net_sessionid".Equals(s, StringComparison.InvariantCultureIgnoreCase))
{
Response.Cookies[s].Secure = true;
}
}
}
Adding this to the EndRequest event handler in the global.asax should make this happen for all page calls.
Note: An edit was proposed to add a break;
statement inside a successful "secure" assignment. I've rejected this edit based on the idea that it would only allow 1 of the cookies to be forced to secure and the second would be ignored. It is not inconceivable to add a counter or some other metric to determine that both have been secured and to break at that point.
Is it possible to mark the cookie ASP.NET_sessionID as secure
This should enable you to set the cookie as secure:
void Application_EndRequest(object sender, EventArgs e)
{
var sessionCookieKey = Response.Cookies.AllKeys.SingleOrDefault(c => c.ToLower() == "asp.net_sessionid");
var sessionCookie = Response.Cookies.Get(sessionCookieKey);
if(sessionCookie != null)
{
sessionCookie.Secure = true;
}
}
ASP.NET_SessionId cookie value is alway Lax in the SameSite
The <httpCookies sameSite="...">
attribute in Web.config doesn't affect the ASP.NET_SessionId cookie. Set the <sessionState cookieSameSite="...">
attribute instead:
<system.web>
<sessionState cookieSameSite="None" />
</system.web>
How can I set the Secure flag on an ASP.NET Session Cookie?
There are two ways, one httpCookies
element in web.config
allows you to turn on requireSSL
which only transmit all cookies including session in SSL only and also inside forms authentication, but if you turn on SSL on httpcookies you must also turn it on inside forms configuration too.
Edit for clarity:
Put this in <system.web>
<httpCookies requireSSL="true" />
How secure are ASP.net security cookies
Sessions in ASP.NET aren't authenticated - authentication is entirely separate. By taking a session cookie and recreating it yes you can hijack the session, and if you lift an authentication cookie then you can authenticate as a user (which is why, by default, authentication cookies expire) - see http://msdn.microsoft.com/en-us/library/ms178581.aspx
The security note is quite clear;
SessionID values are sent in clear text, whether as a cookie or as
part of the URL. A malicious user could get access to the session of
another user by obtaining the SessionID value and including it in
requests to the server. If you are storing sensitive information in
session state, it is recommended that you use SSL to encrypt any
communication between the browser and server that includes the
SessionID value.
Make ASP.NET_SessionId cookie not httpOnly
If you REALLY need it you could try to add this to your Global.asax:
void Application_EndRequest(Object sender, EventArgs e)
{
if (Response.Cookies.Count > 0)
{
foreach (string s in Response.Cookies.AllKeys)
{
if (s == "ASP.NET_SessionId")
{
Response.Cookies["ASP.NET_SessionId"].HttpOnly = false;
}
}
}
}
Solution was taken from here.
How to hide the ASP.NET_SessionID cookie string in asp.net webform?
You cannot remove this cookie, since it is used by ASP.Net framework internally to identify unique session.
However you can prevent some XSS attacks using HttpOnly
ASP.NET_SessionId=ig2fac55; path=/; HttpOnly
By default, ASP.Net session cookies are HttpOnly and cannot be modified by client script
MSDN Article
HttpOnly. This property specifies whether the cookie can be accessed by client script. In ASP.NET 2.0, this value is always set to
true. Internet Explorer 6 Service Pack 1 supports this cookie
attribute, which prevents client-side script from accessing the cookie
from the document.cookie property. If an attempt is made to access the
cookie from client-side script, an empty string is returned. The
cookie is still sent to the server whenever the user browses to a Web
site in the current domain.
Related Topics
How to Format Number as Money Using Regex
Copy Files With Authentication in C#
Using Recursion to Add Odd Numbers
Use Latest Version of Internet Explorer in the Webbrowser Control
How to Prevent the Print Progress Dialog Appearing When Performing a Print Preview
Reportviewer: Show Reports in Print Layout With Page Width Zoommode
Visual Studio Solution Unavailable (Reload Doesn't Work)
C# List Join List and Filter from Another List
C# Multipart/Form-Data Submit Programmatically
Extract First Element from Json
Convert Byte Array to Wav File
Linq Multiple Group by in a List<T> Then Convert to List<T>
How to Remove Windows Credentials
How to Make Xmlserializer Ignore the Namespace on Deserialization
Choosing the Default Value of an Enum Type Without Having to Change Values
Asp Core Webapi Test File Upload Using Postman
Accessing a Shared File (Unc) from a Remote, Non-Trusted Domain With Credentials