Is there a way to mark EPiSessionId Cookie secure and HttpOnly?


Like all the other questions regarding cookies and security scan, is there a way to mark the "EPiSessionId" cookie secure AND httpOnly?

I've already set: 

<httpCookies requireSSL="true" httpOnlyCookies="true" />

and even tried to intercept the response cookies and override the settings -- but did not work.

Jun 23, 2020 9:40

Apart from setting requiressl there, you could also try to set it on authentication mode too. You should have something like this. 

<authentication mode="Forms">
<forms name=".EPiServerLogin" loginUrl="Util/login.aspx" timeout="120" defaultUrl="~/" requireSSL="true" />

Jun 23, 2020 19:28

Ah, that's for .EpiserverLogin cookie.

I have that configuration set as well. 

Jun 23, 2020 23:09

Hi Shella, session is default ASP.NET stuff, so have a look at this SO post:

Jun 24, 2020 6:19

Hi Antti: I'm asking about "EPiSessionId" not "ASP.NET_SessionIdwhich seems to be created when using Profile Store or tracking. It's not even listed on the Epi documentations on Cookies. 

Jun 24, 2020 6:22

Hi Shella,

sorry as there was no mention about profile store or tracking I just made the assumption you have renamed the ASP.NET session cookie in your solution (and not just go with the default cookie name).

Anyways if you haven't already looked / found that cookie is coming from the Episerver NuGet package EPiServer.Session. That package contains the class  EPiServer.Session.Services.Internal.DefaultSessionStoreService which writes the cookie like this:

HttpContext.Current.Response.Headers.Add("Set-Cookie", string.Format("{0}={1}; Max-Age={2}; Path=/", "EPiSessionId", sessionId, duration));

And that is done in the Application_BeginRequest event.

As you can see it is directly setting the Set-Cookie header and not using the response cookies collection.

Jun 24, 2020 6:44

Antti Alasvuo:

Could you please describe how you would implement that the session cookie is returned with a secure flag?

Nov 30, 2020 12:55
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.