Is there a way to mark EPiSessionId Cookie secure and HttpOnly?

Vote:
 

Like all the other questions regarding cookies and security scan, is there a way to mark the "EPiSessionId" cookie secure AND httpOnly?

I've already set: 

<httpCookies requireSSL="true" httpOnlyCookies="true" />

and even tried to intercept the response cookies and override the settings -- but did not work.

#224595
Jun 23, 2020 9:40
Vote:
 

Apart from setting requiressl there, you could also try to set it on authentication mode too. You should have something like this. 

<authentication mode="Forms">
<forms name=".EPiServerLogin" loginUrl="Util/login.aspx" timeout="120" defaultUrl="~/" requireSSL="true" />
</authentication>

#224625
Jun 23, 2020 19:28
Vote:
 

Ah, that's for .EpiserverLogin cookie.

I have that configuration set as well. 

#224645
Jun 23, 2020 23:09
Vote:
 

Hi Shella, session is default ASP.NET stuff, so have a look at this SO post: https://stackoverflow.com/a/6190050

#224648
Jun 24, 2020 6:19
Vote:
 

Hi Antti: I'm asking about "EPiSessionId" not "ASP.NET_SessionIdwhich seems to be created when using Profile Store or tracking. It's not even listed on the Epi documentations on Cookies. 

#224649
Jun 24, 2020 6:22
Vote:
 

Hi Shella,

sorry as there was no mention about profile store or tracking I just made the assumption you have renamed the ASP.NET session cookie in your solution (and not just go with the default asp.net cookie name).

Anyways if you haven't already looked / found that cookie is coming from the Episerver NuGet package EPiServer.Session. That package contains the class  EPiServer.Session.Services.Internal.DefaultSessionStoreService which writes the cookie like this:

HttpContext.Current.Response.Headers.Add("Set-Cookie", string.Format("{0}={1}; Max-Age={2}; Path=/", "EPiSessionId", sessionId, duration));

And that is done in the Application_BeginRequest event.

As you can see it is directly setting the Set-Cookie header and not using the response cookies collection.

#224650
Jun 24, 2020 6:44
Vote:
 

Antti Alasvuo:

Could you please describe how you would implement that the asp.net session cookie is returned with a secure flag?

#231533
Nov 30, 2020 12:55
Vote:
 

FYI, adding this to Global.asax will make the EPiSessionId cookie HttpOnly 😃

protected void Application_Start()
{
     var sessionIdCookie = System.Web.HttpContext.Current.Request.Cookies["EPiSessionId"];
     if (sessionIdCookie != null && !sessionIdCookie.HttpOnly)
     {
        sessionIdCookie.HttpOnly = true;
        System.Web.HttpContext.Current.Response.Cookies.Add(sessionIdCookie);
     }
}
#268315
Dec 13, 2021 5:52
Vote:
 

Thanks for this information!

#268386
Dec 14, 2021 14:22
Vote:
 

If you want to make the EPiSessionId cookie secure and HttpOnly, use this:

protected void Application_BeginRequest()
{
	var sessionIdCookie = System.Web.HttpContext.Current.Request.Cookies["EPiSessionId"];
	if (sessionIdCookie != null)
	{
		sessionIdCookie.HttpOnly = true;
		sessionIdCookie.Secure = true;
		System.Web.HttpContext.Current.Response.Cookies.Add(sessionIdCookie);
	}
}

This addresses the SameSite=None requiring Secure issue detailed below:

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite

#268738
Dec 21, 2021 3:53
Vote:
 

For my .NET Framework application, I was unable to mark the EPiSessionId cookie as secure and HttpOnly with the above solutions. After reaching out to support, I developed the following `web.config` snippet for usage under `<system.web>`

<httpCookies httpOnlyCookies="true" requireSSL="true" />

This removed the EPiSessionId cookie entirely as well as some other session cookies we weren't using.

#331905
Oct 24, 2024 15:08
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.