how to secure aspnet_sessionid cookie in umbraco 8 - Using Umbraco and getting started - our.umbraco.com

Press Ctrl / CMD + C to copy this to your clipboard.

Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at

Jonathan Roberts 409 posts 1063 karma points

Dec 06, 2022 @ 10:44

0

How to secure asp.net_sessionid cookie in Umbraco 8

How can I secure asp.net_sessionid cookie in Umbraco 8?

Copy Link
Nik 1614 posts 7260 karma points MVP 7x c-trib

Dec 07, 2022 @ 09:45
0
Hey Jonathan,

There is quite a good answer on here:

https://stackoverflow.com/questions/5978667/how-to-secure-the-asp-net-sessionid-cookie

The gist of it is there are 2 things you can set up in Web.Config for your site:
```
<sessionState cookieless="false" cookieName="__Secure-SID" cookieSameSite="Lax" />
<httpCookies httpOnlyCookies="true" sameSite="Lax" requireSSL="true" />
```
By setting this it should make all of your cookies secure by default I think. (I've not tested it so err on the side of caution and make sure things work as expected)

:-)

Nik
Copy Link
Jonathan Roberts 409 posts 1063 karma points

Dec 07, 2022 @ 11:03
0
Hi, Adding that into the webconfig doesnt do anything. The cookie remains unsecure.

I would like to try this in the Component Class using IComponent but Im not sure how to implement this correctly in Umbraco.
```
if (Response.Cookies.Count > 0)
{
foreach (string s in Response.Cookies.AllKeys)
{
    if (s == FormsAuthentication.FormsCookieName || "asp.net_sessionid".Equals(s, StringComparison.InvariantCultureIgnoreCase))
    {
         Response.Cookies[s].Secure = true;
    }
}
}
```
Copy Link
is working on a reply...

Please Sign in or register to post replies

Write your reply to:

Editor

Preview

Draft