How to Secure the Asp.Net_Sessionid Cookie

How to secure the ASP.NET_SessionId cookie?

Here is a code snippet taken from a blog article written by Anubhav Goyal:

// this code will mark the forms authentication cookie and the
// session cookie as Secure.
if (Response.Cookies.Count > 0)
{
    foreach (string s in Response.Cookies.AllKeys)
    {
        if (s == FormsAuthentication.FormsCookieName || "asp.net_sessionid".Equals(s, StringComparison.InvariantCultureIgnoreCase))
        {
             Response.Cookies[s].Secure = true;
        }
    }
}

Adding this to the EndRequest event handler in the global.asax should make this happen for all page calls.

Note: An edit was proposed to add a break; statement inside a successful "secure" assignment. I've rejected this edit based on the idea that it would only allow 1 of the cookies to be forced to secure and the second would be ignored. It is not inconceivable to add a counter or some other metric to determine that both have been secured and to break at that point.

Is it possible to mark the cookie ASP.NET_sessionID as secure

This should enable you to set the cookie as secure:

void Application_EndRequest(object sender, EventArgs e)
{
    var sessionCookieKey = Response.Cookies.AllKeys.SingleOrDefault(c => c.ToLower() == "asp.net_sessionid");
    var sessionCookie = Response.Cookies.Get(sessionCookieKey);
    if(sessionCookie != null)
    {
        sessionCookie.Secure = true;
    }
}

ASP.NET_SessionId cookie value is alway Lax in the SameSite

The <httpCookies sameSite="..."> attribute in Web.config doesn't affect the ASP.NET_SessionId cookie. Set the <sessionState cookieSameSite="..."> attribute instead:

<system.web>
    <sessionState cookieSameSite="None" />
</system.web>

How can I set the Secure flag on an ASP.NET Session Cookie?

There are two ways, one httpCookies element in web.config allows you to turn on requireSSL which only transmit all cookies including session in SSL only and also inside forms authentication, but if you turn on SSL on httpcookies you must also turn it on inside forms configuration too.

Edit for clarity:
Put this in <system.web>

<httpCookies requireSSL="true" />

How secure are ASP.net security cookies

Sessions in ASP.NET aren't authenticated - authentication is entirely separate. By taking a session cookie and recreating it yes you can hijack the session, and if you lift an authentication cookie then you can authenticate as a user (which is why, by default, authentication cookies expire) - see http://msdn.microsoft.com/en-us/library/ms178581.aspx

The security note is quite clear;

SessionID values are sent in clear text, whether as a cookie or as
part of the URL. A malicious user could get access to the session of
another user by obtaining the SessionID value and including it in
requests to the server. If you are storing sensitive information in
session state, it is recommended that you use SSL to encrypt any
communication between the browser and server that includes the
SessionID value.

Make ASP.NET_SessionId cookie not httpOnly

If you REALLY need it you could try to add this to your Global.asax:

void Application_EndRequest(Object sender, EventArgs e)
{
   if (Response.Cookies.Count > 0)
   {
       foreach (string s in Response.Cookies.AllKeys)
       {
           if (s == "ASP.NET_SessionId")
           {
               Response.Cookies["ASP.NET_SessionId"].HttpOnly = false;
           }
       }
   }    
}

Solution was taken from here.

How to hide the ASP.NET_SessionID cookie string in asp.net webform?

You cannot remove this cookie, since it is used by ASP.Net framework internally to identify unique session.

However you can prevent some XSS attacks using HttpOnly

 ASP.NET_SessionId=ig2fac55; path=/; HttpOnly

By default, ASP.Net session cookies are HttpOnly and cannot be modified by client script

MSDN Article

HttpOnly. This property specifies whether the cookie can be accessed by client script. In ASP.NET 2.0, this value is always set to
true. Internet Explorer 6 Service Pack 1 supports this cookie
attribute, which prevents client-side script from accessing the cookie
from the document.cookie property. If an attempt is made to access the
cookie from client-side script, an empty string is returned. The
cookie is still sent to the server whenever the user browses to a Web
site in the current domain.


Related Topics

How to Format Number as Money Using Regex

Copy Files With Authentication in C#

Using Recursion to Add Odd Numbers

Use Latest Version of Internet Explorer in the Webbrowser Control

How to Prevent the Print Progress Dialog Appearing When Performing a Print Preview

Reportviewer: Show Reports in Print Layout With Page Width Zoommode

Visual Studio Solution Unavailable (Reload Doesn't Work)

C# List Join List and Filter from Another List

Unquote String in C#

C# Multipart/Form-Data Submit Programmatically

Extract First Element from Json

Convert Byte Array to Wav File

Linq Multiple Group by in a List<T> Then Convert to List<T>

How to Remove Windows Credentials

How to Make Xmlserializer Ignore the Namespace on Deserialization

Choosing the Default Value of an Enum Type Without Having to Change Values

Asp Core Webapi Test File Upload Using Postman

Accessing a Shared File (Unc) from a Remote, Non-Trusted Domain With Credentials


Leave a reply



Submit