Epi:StateMarker cookie - what is it and how can I make it secure?

Vote:
 

After upgrading to Episerver 11, I've noticed session cookies like EPi:StateMarker and EPi:ViewedPages, with value "true" and "244" respectively in our production environment only. They aren't a problem in themselves, but they are not marked secure nor httpOnly, which triggers warnings from our security scanning tool.

Does anyone have any idea where they come from and how to secure them?

#204762
Jun 17, 2019 9:43
Vote:
 

Hi Espen,

These will respect the httpCookies configuration in you web.config, to make them secure you should set requireSSL to true.

EPi:StateMarker is a visitor group state marker (not sure on the specifics) and EPi:ViewedPages is used in tracking pages the user has viewed (again for visitor group personalization, specifically the "Visited Page" criterion).

#204804
Jun 18, 2019 18:11
Vote:
 

And adding for future reference (in Episerver documentation):

Also Mark Everard has collected a list of Episerver cookies to his github.

#204840
Jun 19, 2019 19:55
Vote:
 

@Antti: Thanks for sharing thosesome good resources.

I did already check the cookie documentation, however, it seems to be out of date given that the EPi:StateMarker cookie was introduced in EPiServer.Framework.AspNet 11.9.0. Looks like it may be used to track the start of a session.

It's the same case with the EPi:ViewedPages cookie, from EPiServer.CMS.AspNet 11.9.0 onwards this cookie is set depending on your state storage preferences, before this Episerver visitor groups always required session states.

As per the documentation from 11.9.0 you can also configure your own custom state storage: https://world.episerver.com/documentation/developer-guides/CMS/personalization/session-handling-in-visitor-group-criteria/

Long story short, I think the documentation needs updating.

#204842
Edited, Jun 19, 2019 21:04
Vote:
 

Thank you both. Adding the httpCookies config did the trick.

And yes, there is definitely a lack of documentation, at least on the StateMarker cookie. That explains why my Google searches failed me.

#204928
Jun 21, 2019 9:08
Vote:
 

Is it possible to disable the EPi:StateMarker cookie?

#207511
Sep 23, 2019 15:44
Vote:
 

To answer my own question: 

Add this to global.asax.cs

protected void Application_EndRequest()

        {
            try
            {
                if (System.Web.HttpContext.Current != null)
                {
                    System.Web.HttpContext.Current.Response.Cookies.Remove("EPi:StateMarker");
                }
            }
            catch (Exception)
            {
                //Do nothing, just don't take down the site
            }

        }

#207551
Sep 24, 2019 13:51
Vote:
 

The colon character ':' is invalid in a cookie name. This breaks an ApiController implementation we have that tries to get a cookie value using

Request.Headers.GetCookies(name).FirstOrDefault()

The ':' character in "EPi:StateMarker" prevents successful parsing of the cookie header value and so no cookies are returned.

A workaround is to use: 

HttpContext.Current.Request.Cookies.Get(name)

I suggest that Episerver change the "EPi:" cookie names so that they no longer use invalid characters.

<cookie-name> can be any US-ASCII characters, except control characters, spaces, or tabs. It also must not contain a separator character like the following: ( ) < > @ , ; : \ " /  [ ] ? = { }.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie

#208308
Oct 21, 2019 14:13