2

I have a web application in ASP.NET 4.5.2. The application works fine in IE but in Chrome & Edge when I access the application using HTTP the ASP.NET_SessionId cookie is not created. When I log in and click any link within the application it moves me back to the login page.

When using the HTTPS the ASP.NET_SessionId cookie is created and the application works fine in all browsers.

I have used the fiddler and found that when it doesn't work the request header doesn't contain this cookie but for the links where it works, this cookie exits in the request header.

Please help me find the issue.

Thanks.

Imran Yaseen
  • 543
  • 1
  • 5
  • 20
  • You should be able to set `requireSSL="true"` in the httpCookies element and this will work, you may need to clear existing cookies first, then you can see the changes. The session state configuration document is here, you can refer to: https://learn.microsoft.com/en-us/previous-versions/dotnet/netframework-3.0/h6bb9cz9(v=vs.85)?redirectedfrom=MSDN – YurongDai Oct 25 '22 at 07:19
  • @YurongDai, it doesn't work by setting requireSSL="true". Please note this issue only happens when use the HTTP (not HTTPs) in Chrome or Edge browsers. But always works when use IE 11 using both HTTP & HTTPs. – Imran Yaseen Oct 26 '22 at 08:57
  • Another aspect I can think of is that the Content-Security-Policy HTML meta tag can also control how cookies are handled. https://www.w3.org/TR/csp-cookies/ – YurongDai Nov 02 '22 at 06:39

1 Answers1

0

Check your web.config under <system.web> for:

<httpCookies requireSSL="true" />

If this is set to true cookies will be marked as secure and you won't be able to read them unless you are connecting over SSL. This defaults to true of SSL is enabled for your project and false if it isn't.

https://learn.microsoft.com/en-us/dotnet/api/system.web.configuration.httpcookiessection.requiressl?view=netframework-4.8

Related question with some useful information on the forms tag which may require you to set this in more than one place:

How can I set the Secure flag on an ASP.NET Session Cookie?

JustAnotherDev
  • 546
  • 2
  • 8