November Happy Hour will be moved to Thursday December 5th.
AI OnAI Off
Is there a way to mark EPiSessionId Cookie secure and HttpOnly?
Apart from setting requiressl there, you could also try to set it on authentication mode too. You should have something like this.
<authentication mode="Forms">
<forms name=".EPiServerLogin" loginUrl="Util/login.aspx" timeout="120" defaultUrl="~/" requireSSL="true" />
</authentication>
Jun 23, 2020 19:28
Ah, that's for .EpiserverLogin cookie.
I have that configuration set as well.
Jun 23, 2020 23:09
Hi Shella, session is default ASP.NET stuff, so have a look at this SO post: https://stackoverflow.com/a/6190050
Jun 24, 2020 6:19
Hi Antti: I'm asking about "EPiSessionId" not "ASP.NET_SessionId" which seems to be created when using Profile Store or tracking. It's not even listed on the Epi documentations on Cookies.
Jun 24, 2020 6:22
Hi Shella,
sorry as there was no mention about profile store or tracking I just made the assumption you have renamed the ASP.NET session cookie in your solution (and not just go with the default asp.net cookie name).
Anyways if you haven't already looked / found that cookie is coming from the Episerver NuGet package EPiServer.Session. That package contains the class EPiServer.Session.Services.Internal.DefaultSessionStoreService which writes the cookie like this:
HttpContext.Current.Response.Headers.Add("Set-Cookie", string.Format("{0}={1}; Max-Age={2}; Path=/", "EPiSessionId", sessionId, duration));And that is done in the Application_BeginRequest event.
As you can see it is directly setting the Set-Cookie header and not using the response cookies collection.
Jun 24, 2020 6:44
Antti Alasvuo:
Could you please describe how you would implement that the asp.net session cookie is returned with a secure flag?
Nov 30, 2020 12:55
FYI, adding this to Global.asax will make the EPiSessionId cookie HttpOnly 😃
protected void Application_Start()
{
var sessionIdCookie = System.Web.HttpContext.Current.Request.Cookies["EPiSessionId"];
if (sessionIdCookie != null && !sessionIdCookie.HttpOnly)
{
sessionIdCookie.HttpOnly = true;
System.Web.HttpContext.Current.Response.Cookies.Add(sessionIdCookie);
}
}
Dec 13, 2021 5:52
If you want to make the EPiSessionId cookie secure and HttpOnly, use this:
protected void Application_BeginRequest()
{
var sessionIdCookie = System.Web.HttpContext.Current.Request.Cookies["EPiSessionId"];
if (sessionIdCookie != null)
{
sessionIdCookie.HttpOnly = true;
sessionIdCookie.Secure = true;
System.Web.HttpContext.Current.Response.Cookies.Add(sessionIdCookie);
}
}This addresses the SameSite=None requiring Secure issue detailed below:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
Dec 21, 2021 3:53
For my .NET Framework application, I was unable to mark the EPiSessionId cookie as secure and HttpOnly with the above solutions. After reaching out to support, I developed the following `web.config` snippet for usage under `<system.web>`
<httpCookies httpOnlyCookies="true" requireSSL="true" />This removed the EPiSessionId cookie entirely as well as some other session cookies we weren't using.
Oct 24, 2024 15:08
Like all the other questions regarding cookies and security scan, is there a way to mark the "EPiSessionId" cookie secure AND httpOnly?
I've already set:
<httpCookies requireSSL="true" httpOnlyCookies="true" />
and even tried to intercept the response cookies and override the settings -- but did not work.