4

After a security audit I got the requirement to set the cookie ASP.NET_sessionID as "secure".

Right now the flag is not set.

Can I use SessionIDManager to set it as secure? I am already using it to change the value of the Session cookie after logging in with this code:

            System.Web.SessionState.SessionIDManager manager = new System.Web.SessionState.SessionIDManager();
            string oldId = manager.GetSessionID(System.Web.HttpContext.Current);
            string newId = manager.CreateSessionID(System.Web.HttpContext.Current);
            bool isAdd = false, isRedir = false;
            manager.SaveSessionID(System.Web.HttpContext.Current, newId, out isRedir, out isAdd);

EDIT

I saw that I can set 

<httpCookies httpOnlyCookies="false" requireSSL="true" />

But I only want to have this one cookie secure

Mathias F
  • 15,906
  • 22
  • 89
  • 159
  • Related question https://stackoverflow.com/questions/38954821/preventing-csrf-with-the-same-site-cookie-attribute/ (has answer about ASP session too) – Alex from Jitbit Sep 08 '19 at 09:05

2 Answers2

5

Simply write the code for pass security audit. 

void Session_Start(Object sender, EventArgs e)
    {

        if (Request.IsSecureConnection)
            {
                Response.Cookies["ASP.NET_SessionId"].Secure = true;
            }

    }
Alagappapillai
  • 51
  • 1
  • 1
4

This should enable you to set the cookie as secure:

void Application_EndRequest(object sender, EventArgs e)
{
    var sessionCookieKey = Response.Cookies.AllKeys.SingleOrDefault(c => c.ToLower() == "asp.net_sessionid");
    var sessionCookie = Response.Cookies.Get(sessionCookieKey);
    if(sessionCookie != null)
    {
        sessionCookie.Secure = true;
    }
}
martin308
  • 706
  • 6
  • 20