Apart from setting requiressl there, you could also try to set it on authentication mode too. You should have something like this.
<authentication mode="Forms">
<forms name=".EPiServerLogin" loginUrl="Util/login.aspx" timeout="120" defaultUrl="~/" requireSSL="true" />
</authentication>
Ah, that's for .EpiserverLogin cookie.
I have that configuration set as well.
Hi Shella, session is default ASP.NET stuff, so have a look at this SO post: https://stackoverflow.com/a/6190050
Hi Antti: I'm asking about "EPiSessionId" not "ASP.NET_SessionId" which seems to be created when using Profile Store or tracking. It's not even listed on the Epi documentations on Cookies.
Hi Shella,
sorry as there was no mention about profile store or tracking I just made the assumption you have renamed the ASP.NET session cookie in your solution (and not just go with the default asp.net cookie name).
Anyways if you haven't already looked / found that cookie is coming from the Episerver NuGet package EPiServer.Session. That package contains the class EPiServer.Session.Services.Internal.DefaultSessionStoreService which writes the cookie like this:
HttpContext.Current.Response.Headers.Add("Set-Cookie", string.Format("{0}={1}; Max-Age={2}; Path=/", "EPiSessionId", sessionId, duration));
And that is done in the Application_BeginRequest event.
As you can see it is directly setting the Set-Cookie header and not using the response cookies collection.
Antti Alasvuo:
Could you please describe how you would implement that the asp.net session cookie is returned with a secure flag?
FYI, adding this to Global.asax will make the EPiSessionId cookie HttpOnly 😃
protected void Application_Start()
{
var sessionIdCookie = System.Web.HttpContext.Current.Request.Cookies["EPiSessionId"];
if (sessionIdCookie != null && !sessionIdCookie.HttpOnly)
{
sessionIdCookie.HttpOnly = true;
System.Web.HttpContext.Current.Response.Cookies.Add(sessionIdCookie);
}
}
If you want to make the EPiSessionId cookie secure and HttpOnly, use this:
protected void Application_BeginRequest()
{
var sessionIdCookie = System.Web.HttpContext.Current.Request.Cookies["EPiSessionId"];
if (sessionIdCookie != null)
{
sessionIdCookie.HttpOnly = true;
sessionIdCookie.Secure = true;
System.Web.HttpContext.Current.Response.Cookies.Add(sessionIdCookie);
}
}
This addresses the SameSite=None requiring Secure issue detailed below:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
For my .NET Framework application, I was unable to mark the EPiSessionId cookie as secure and HttpOnly with the above solutions. After reaching out to support, I developed the following `web.config` snippet for usage under `<system.web>`
<httpCookies httpOnlyCookies="true" requireSSL="true" />
This removed the EPiSessionId cookie entirely as well as some other session cookies we weren't using.
Like all the other questions regarding cookies and security scan, is there a way to mark the "EPiSessionId" cookie secure AND httpOnly?
I've already set:
<httpCookies requireSSL="true" httpOnlyCookies="true" />
and even tried to intercept the response cookies and override the settings -- but did not work.