November Happy Hour will be moved to Thursday December 5th.
AI OnAI Off
Epi:StateMarker cookie - what is it and how can I make it secure?
Hi Espen,
These will respect the httpCookies configuration in you web.config, to make them secure you should set requireSSL to true.
EPi:StateMarker is a visitor group state marker (not sure on the specifics) and EPi:ViewedPages is used in tracking pages the user has viewed (again for visitor group personalization, specifically the "Visited Page" criterion).
Jun 18, 2019 18:11
And adding for future reference (in Episerver documentation):
- CMS cookies
- Forms
- Tracking
- GDPR posting by Episerver(list few cookies)
Also Mark Everard has collected a list of Episerver cookies to his github.
Jun 19, 2019 19:55
@Antti: Thanks for sharing those—some good resources.
I did already check the cookie documentation, however, it seems to be out of date given that the EPi:StateMarker cookie was introduced in EPiServer.Framework.AspNet 11.9.0. Looks like it may be used to track the start of a session.
It's the same case with the EPi:ViewedPages cookie, from EPiServer.CMS.AspNet 11.9.0 onwards this cookie is set depending on your state storage preferences, before this Episerver visitor groups always required session states.
As per the documentation from 11.9.0 you can also configure your own custom state storage: https://world.episerver.com/documentation/developer-guides/CMS/personalization/session-handling-in-visitor-group-criteria/
Long story short, I think the documentation needs updating.
Edited,
Jun 19, 2019 20:56
Thank you both. Adding the httpCookies config did the trick.
And yes, there is definitely a lack of documentation, at least on the StateMarker cookie. That explains why my Google searches failed me.
Jun 21, 2019 9:08
To answer my own question:
Add this to global.asax.cs
protected void Application_EndRequest()
{ try { if (System.Web.HttpContext.Current != null) { System.Web.HttpContext.Current.Response.Cookies.Remove("EPi:StateMarker"); } } catch (Exception) { //Do nothing, just don't take down the site } }
Sep 24, 2019 13:51
Jørgen Helgheim
- Feb 03, 2021 11:38
I guess this is no longer neccesary Andreas after episerver v11.14.2 (https://world.episerver.com/documentation/Release-Notes/ReleaseNote/?releaseNoteId=CMS-14715) .
I am also not sure if this code is working as excepted since you remove it from the Response, and not the Request.
I am also not sure if this code is working as excepted since you remove it from the Response, and not the Request.
The colon character ':' is invalid in a cookie name. This breaks an ApiController implementation we have that tries to get a cookie value using:
Request.Headers.GetCookies(name).FirstOrDefault()The ':' character in "EPi:StateMarker" prevents successful parsing of the cookie header value and so no cookies are returned.
A workaround is to use:
HttpContext.Current.Request.Cookies.Get(name)I suggest that Episerver change the "EPi:" cookie names so that they no longer use invalid characters.
A <cookie-name> can be any US-ASCII characters, except control characters, spaces, or tabs. It also must not contain a separator character like the following: ( ) < > @ , ; : \ " / [ ] ? = { }.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie
Oct 21, 2019 14:13
This topic was created over six months ago and has been resolved. If you have a similar question, please create a new topic and refer to this one.
After upgrading to Episerver 11, I've noticed session cookies like EPi:StateMarker and EPi:ViewedPages, with value "true" and "244" respectively in our production environment only. They aren't a problem in themselves, but they are not marked
securenorhttpOnly, which triggers warnings from our security scanning tool.Does anyone have any idea where they come from and how to secure them?