how to secure aspnet_sessionid cookie in umbraco 8

Press Ctrl / CMD + C to copy this to your clipboard.

Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at

Jonathan Roberts 409 posts 1063 karma points

Dec 06, 2022 @ 10:44

0

How to secure asp.net_sessionid cookie in Umbraco 8

How can I secure asp.net_sessionid cookie in Umbraco 8?

Copy Link
Nik 1625 posts 7295 karma points MVP 7x c-trib

Dec 07, 2022 @ 09:45
0
Hey Jonathan,

There is quite a good answer on here:

https://stackoverflow.com/questions/5978667/how-to-secure-the-asp-net-sessionid-cookie

The gist of it is there are 2 things you can set up in Web.Config for your site:
```
<sessionState cookieless="false" cookieName="__Secure-SID" cookieSameSite="Lax" />
<httpCookies httpOnlyCookies="true" sameSite="Lax" requireSSL="true" />
```
By setting this it should make all of your cookies secure by default I think. (I've not tested it so err on the side of caution and make sure things work as expected)

:-)

Nik
Copy Link
Jonathan Roberts 409 posts 1063 karma points

Dec 07, 2022 @ 11:03
0
Hi, Adding that into the webconfig doesnt do anything. The cookie remains unsecure.

I would like to try this in the Component Class using IComponent but Im not sure how to implement this correctly in Umbraco.
```
if (Response.Cookies.Count > 0)
{
foreach (string s in Response.Cookies.AllKeys)
{
    if (s == FormsAuthentication.FormsCookieName || "asp.net_sessionid".Equals(s, StringComparison.InvariantCultureIgnoreCase))
    {
         Response.Cookies[s].Secure = true;
    }
}
}
```
Copy Link
is working on a reply...

This forum is in read-only mode while we transition to the new forum.

You can continue this topic on the new forum by tapping the "Continue discussion" link below.

Please Sign in or register to post replies