Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Jonathan Roberts 409 posts 1063 karma points
    Dec 06, 2022 @ 10:44
    Jonathan Roberts
    0

    How to secure asp.net_sessionid cookie in Umbraco 8

    How can I secure asp.net_sessionid cookie in Umbraco 8?

  • Nik 1591 posts 7148 karma points MVP 6x c-trib
    Dec 07, 2022 @ 09:45
    Nik
    0

    Hey Jonathan,

    There is quite a good answer on here:

    https://stackoverflow.com/questions/5978667/how-to-secure-the-asp-net-sessionid-cookie

    The gist of it is there are 2 things you can set up in Web.Config for your site:

    <sessionState cookieless="false" cookieName="__Secure-SID" cookieSameSite="Lax" />
    <httpCookies httpOnlyCookies="true" sameSite="Lax" requireSSL="true" />
    

    By setting this it should make all of your cookies secure by default I think. (I've not tested it so err on the side of caution and make sure things work as expected)

    :-)

    Nik

  • Jonathan Roberts 409 posts 1063 karma points
    Dec 07, 2022 @ 11:03
    Jonathan Roberts
    0

    Hi, Adding that into the webconfig doesnt do anything. The cookie remains unsecure.

    I would like to try this in the Component Class using IComponent but Im not sure how to implement this correctly in Umbraco.

    if (Response.Cookies.Count > 0)
    {
    foreach (string s in Response.Cookies.AllKeys)
    {
        if (s == FormsAuthentication.FormsCookieName || "asp.net_sessionid".Equals(s, StringComparison.InvariantCultureIgnoreCase))
        {
             Response.Cookies[s].Secure = true;
        }
    }
    }
    
Please Sign in or register to post replies

Write your reply to:

Draft