Menu
After a security audit I got the requirement to set the cookie ASP.NET_sessionID as "secure".
Right now the flag is not set.
Can I use SessionIDManager to set it as secure? I am already using it to change the value of the Session cookie after logging in with this code:
System.Web.SessionState.SessionIDManager manager = new System.Web.SessionState.SessionIDManager();
string oldId = manager.GetSessionID(System.Web.HttpContext.Current);
string newId = manager.CreateSessionID(System.Web.HttpContext.Current);
bool isAdd = false, isRedir = false;
manager.SaveSessionID(System.Web.HttpContext.Current, newId, out isRedir, out isAdd);
EDIT
I saw that I can set
<httpCookies httpOnlyCookies="false" requireSSL="true" />
But I only want to have this one cookie secure
617
Simply write the code for pass security audit.
void Session_Start(Object sender, EventArgs e)
{
if (Request.IsSecureConnection)
{
Response.Cookies["ASP.NET_SessionId"].Secure = true;
}
}
answered Oct 17 '25 03:10
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With