question

LarissaPereira-6367 avatar image
0 Votes"
LarissaPereira-6367 asked SamWu-MSFT commented

ASP.NET_SessionId

i want to secure 'ASP.NET_SessionId' cookie, so i added

<httpCookies httpOnlyCookies="true" requireSSL="true"/> to web.config and

Response.Cookies[ASP.NET_SessionId].Secure = true; to master page.

However when i add code to master page my session gets lost.
Need help

dotnet-aspnet-generaldotnet-aspnet-core-webapidotnet-aspnet-core-securitydotnet-aspnet-core-realtime
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

The ASP.NET session API is well tested and known to function as expected. Most likely there is a bug in your design or code.

What kind of application are you building? Are you using SSL? Is there any way you can share code that reproduces this issue? Can you explain what "Session gets lost" means and how to reproduce this issue?

0 Votes 0 ·

I am building a asp.net web application. Yes we are using SSL.

When the session begins, I can see the value in ASP.NET_SessionId cookie, however, when I navigate to another page, this data is lost. Also all the other parameters like user credentials which are saved are lost and the object becomes null.

This happens only when i add Response.Cookies[ASP.NET_SessionId].Secure = true; to my master page or any event in global.asax which is triggered on every request like Application_BeginRequest or Application_EndRequest.

If I add Response.Cookies[ASP.NET_SessionId].Secure = true only in session_start, my attribute sets to true on session start. however if i manually uncheck secure attribute from developer tools in chrome and reload the page, it is not set back to secure. Thus i am trying to set it from global.asax or master page

0 Votes 0 ·

1 Answer

SamWu-MSFT avatar image
0 Votes"
SamWu-MSFT answered SamWu-MSFT commented

Hi @LarissaPereira-6367

Try to set the Response.Cookies ["ASP.NET_SessionID"].Secure = true in the Session_Start of the global.asax instead of master page.

133786-capture.png


If the answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



capture.png (31.8 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@SamWu-MSFT by this way i am able to set it at the start of session, however if i manually go to developer tools and uncheck the secure attribute, and i reload the page, it no more sets the cookie as secure. Thus i am trying to do it in master page or any event that gets triggered on every request in global.asax. But when i do it, session is lost.

0 Votes 0 ·
SamWu-MSFT avatar image SamWu-MSFT LarissaPereira-6367 ·

@LarissaPereira-6367 can you tell me why do you go to developer tools and uncheck the secure attribute?

0 Votes 0 ·