London Dev Meetup Rescheduled! Due to unavoidable reasons, the event has been moved to 21st May. Speakers remain the same—any changes will be communicated. Seats are limited—register here to secure your spot!
AI OnAI Off
Is there a way to mark EPiSessionId Cookie secure and HttpOnly?
Apart from setting requiressl there, you could also try to set it on authentication mode too. You should have something like this.
<authentication mode="Forms">
<forms name=".EPiServerLogin" loginUrl="Util/login.aspx" timeout="120" defaultUrl="~/" requireSSL="true" />
</authentication>
Jun 23, 2020 19:28
Ah, that's for .EpiserverLogin cookie.
I have that configuration set as well.
Jun 23, 2020 23:09
Hi Shella, session is default ASP.NET stuff, so have a look at this SO post: https://stackoverflow.com/a/6190050
Jun 24, 2020 6:19
Hi Antti: I'm asking about "EPiSessionId" not "ASP.NET_SessionId" which seems to be created when using Profile Store or tracking. It's not even listed on the Epi documentations on Cookies.
Jun 24, 2020 6:22
Hi Shella,
sorry as there was no mention about profile store or tracking I just made the assumption you have renamed the ASP.NET session cookie in your solution (and not just go with the default asp.net cookie name).
Anyways if you haven't already looked / found that cookie is coming from the Episerver NuGet package EPiServer.Session. That package contains the class EPiServer.Session.Services.Internal.DefaultSessionStoreService which writes the cookie like this:
HttpContext.Current.Response.Headers.Add("Set-Cookie", string.Format("{0}={1}; Max-Age={2}; Path=/", "EPiSessionId", sessionId, duration));And that is done in the Application_BeginRequest event.
As you can see it is directly setting the Set-Cookie header and not using the response cookies collection.
Jun 24, 2020 6:44
Antti Alasvuo:
Could you please describe how you would implement that the asp.net session cookie is returned with a secure flag?
Nov 30, 2020 12:55
FYI, adding this to Global.asax will make the EPiSessionId cookie HttpOnly 😃
protected void Application_Start()
{
var sessionIdCookie = System.Web.HttpContext.Current.Request.Cookies["EPiSessionId"];
if (sessionIdCookie != null && !sessionIdCookie.HttpOnly)
{
sessionIdCookie.HttpOnly = true;
System.Web.HttpContext.Current.Response.Cookies.Add(sessionIdCookie);
}
}
Dec 13, 2021 5:52
If you want to make the EPiSessionId cookie secure and HttpOnly, use this:
protected void Application_BeginRequest()
{
var sessionIdCookie = System.Web.HttpContext.Current.Request.Cookies["EPiSessionId"];
if (sessionIdCookie != null)
{
sessionIdCookie.HttpOnly = true;
sessionIdCookie.Secure = true;
System.Web.HttpContext.Current.Response.Cookies.Add(sessionIdCookie);
}
}This addresses the SameSite=None requiring Secure issue detailed below:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
Dec 21, 2021 3:53
For my .NET Framework application, I was unable to mark the EPiSessionId cookie as secure and HttpOnly with the above solutions. After reaching out to support, I developed the following `web.config` snippet for usage under `<system.web>`
<httpCookies httpOnlyCookies="true" requireSSL="true" />This removed the EPiSessionId cookie entirely as well as some other session cookies we weren't using.
Oct 24, 2024 15:08
Like all the other questions regarding cookies and security scan, is there a way to mark the "EPiSessionId" cookie secure AND httpOnly?
I've already set:
<httpCookies requireSSL="true" httpOnlyCookies="true" />
and even tried to intercept the response cookies and override the settings -- but did not work.