Epi:StateMarker cookie - what is it and how can I make it secure?


After upgrading to Episerver 11, I've noticed session cookies like EPi:StateMarker and EPi:ViewedPages, with value "true" and "244" respectively in our production environment only. They aren't a problem in themselves, but they are not marked secure nor httpOnly, which triggers warnings from our security scanning tool.

Does anyone have any idea where they come from and how to secure them?

Jun 17, 2019 9:43

Hi Espen,

These will respect the httpCookies configuration in you web.config, to make them secure you should set requireSSL to true.

EPi:StateMarker is a visitor group state marker (not sure on the specifics) and EPi:ViewedPages is used in tracking pages the user has viewed (again for visitor group personalization, specifically the "Visited Page" criterion).

Jun 18, 2019 18:11

And adding for future reference (in Episerver documentation):

Also Mark Everard has collected a list of Episerver cookies to his github.

Jun 19, 2019 19:55

@Antti: Thanks for sharing thosesome good resources.

I did already check the cookie documentation, however, it seems to be out of date given that the EPi:StateMarker cookie was introduced in EPiServer.Framework.AspNet 11.9.0. Looks like it may be used to track the start of a session.

It's the same case with the EPi:ViewedPages cookie, from EPiServer.CMS.AspNet 11.9.0 onwards this cookie is set depending on your state storage preferences, before this Episerver visitor groups always required session states.

As per the documentation from 11.9.0 you can also configure your own custom state storage: https://world.episerver.com/documentation/developer-guides/CMS/personalization/session-handling-in-visitor-group-criteria/

Long story short, I think the documentation needs updating.

Edited, Jun 19, 2019 20:56

Thank you both. Adding the httpCookies config did the trick.

And yes, there is definitely a lack of documentation, at least on the StateMarker cookie. That explains why my Google searches failed me.

Jun 21, 2019 9:08

Is it possible to disable the EPi:StateMarker cookie?

Sep 23, 2019 15:44

To answer my own question: 

Add this to global.asax.cs

protected void Application_EndRequest()

                if (System.Web.HttpContext.Current != null)
            catch (Exception)
                //Do nothing, just don't take down the site


Sep 24, 2019 13:51
Jørgen Helgheim - Feb 03, 2021 11:38
I guess this is no longer neccesary Andreas after episerver v11.14.2 (https://world.episerver.com/documentation/Release-Notes/ReleaseNote/?releaseNoteId=CMS-14715) .

I am also not sure if this code is working as excepted since you remove it from the Response, and not the Request.

The colon character ':' is invalid in a cookie name. This breaks an ApiController implementation we have that tries to get a cookie value using


The ':' character in "EPi:StateMarker" prevents successful parsing of the cookie header value and so no cookies are returned.

A workaround is to use: 


I suggest that Episerver change the "EPi:" cookie names so that they no longer use invalid characters.

<cookie-name> can be any US-ASCII characters, except control characters, spaces, or tabs. It also must not contain a separator character like the following: ( ) < > @ , ; : \ " /  [ ] ? = { }.

Oct 21, 2019 14:13
This topic was created over six months ago and has been resolved. If you have a similar question, please create a new topic and refer to this one.
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.