2

Afternoon Folks,

I was wondering if anyone could give me a heads up with regards to this problem that I'm having. I'm not positive on what I should be seeing I suppose is the main issue that I'm having.

I have changed the web.config to use the following:

<httpCookies requireSSL="true" />

All works fine for the general cookies defined when I make a request over http (as opposed to https) in that they don't appear, however the asp.net_sessionid cookie ( ASP.NET_SessionId=epg3ebjv1hheqe45kgp0j055) still appears. Is this correct behaviour, should it not be missing?

UPDATE:

While doing a bit more trawling through the internet I discovered that this is only applicable to forms cookies. It doesn't apply to session cookies. Sickner! However, the following link suggested a fix for it: How to secure the ASP.NET_SessionId cookie?

Which did not sort out my issue unfortunately, the cookie still appears in the request.

Community
  • 1
  • 1
Ruaghain
  • 135
  • 1
  • 14
  • if you only want https traffic, you can stop traffic on port 80. Thisw will make sure only https requests are through. read this article as well, http://www.isecpartners.com/files/web-session-management.pdf – coder net Oct 04 '11 at 16:25
  • I'll have a look at that too coder, cheers! – Ruaghain Oct 05 '11 at 08:41

1 Answers1

0

The cookie will always appear. If it's secure the content will be encrypted (and it will be transmitted in an encrypted fashion if you're using SSL.

That session ID has to be sent somehow. If you'd rather not have it stored as a cookie, you may want to look into cookie-less sessions. In that case, the session will be part of the URL construct.

Maybe try setting a custom cookie name and using the workaround you found?

Brent
  • 411
  • 4
  • 11
  • Cheers Brent, thanks for that. Yea, there was a customer complaining that it was always being sent. I think it may just be a case of the customer not realising that it always is. I'll use the workaround I found alright, and go from there. Thanks again. – Ruaghain Oct 05 '11 at 08:40