Session loss after migrating to ASP.NET 2.0

The HttpOnly attribute has been added to the Session cookie generated by ASP.NET 2.0. This value is hardcoded and cannot be changed via a setting in the application. While this is documented as a breaking change in the breaking changes document (linked below), it's not clear the types of symptoms you will see in your application, nor is the fix clearly stated.

void Application_EndRequest(object sender, EventArgs e){ if (Response.Cookies.Count > 0) {          foreach (string s in Response.Cookies.AllKeys) { if (s == FormsAuthentication.FormsCookieName || s.ToLower() == "asp.net_sessionid") { Response.Cookies[s].HttpOnly = false; } } }}

You could also roll this into a custom HttpModule to apply it across multiple applications if necessary.

Link to breaking changes document:

Link to HttpOnly Attribute:

Link to HttpModule documentation:

Special thanks to Shai Zohar for helping isolate the issue as well as testing the above solution.