Is there a way to mark EPiSessionId Cookie secure and HttpOnly?

Vote:
 

Like all the other questions regarding cookies and security scan, is there a way to mark the "EPiSessionId" cookie secure AND httpOnly?

I've already set: 

<httpCookies requireSSL="true" httpOnlyCookies="true" />

and even tried to intercept the response cookies and override the settings -- but did not work.

#224595
Jun 23, 2020 9:40
Vote:
 

Apart from setting requiressl there, you could also try to set it on authentication mode too. You should have something like this. 

<authentication mode="Forms">
<forms name=".EPiServerLogin" loginUrl="Util/login.aspx" timeout="120" defaultUrl="~/" requireSSL="true" />
</authentication>

#224625
Jun 23, 2020 19:28
Vote:
 

Ah, that's for .EpiserverLogin cookie.

I have that configuration set as well. 

#224645
Jun 23, 2020 23:09
Vote:
 

Hi Shella, session is default ASP.NET stuff, so have a look at this SO post: https://stackoverflow.com/a/6190050

#224648
Jun 24, 2020 6:19
Vote:
 

Hi Antti: I'm asking about "EPiSessionId" not "ASP.NET_SessionIdwhich seems to be created when using Profile Store or tracking. It's not even listed on the Epi documentations on Cookies. 

#224649
Jun 24, 2020 6:22
Vote:
 

Hi Shella,

sorry as there was no mention about profile store or tracking I just made the assumption you have renamed the ASP.NET session cookie in your solution (and not just go with the default asp.net cookie name).

Anyways if you haven't already looked / found that cookie is coming from the Episerver NuGet package EPiServer.Session. That package contains the class  EPiServer.Session.Services.Internal.DefaultSessionStoreService which writes the cookie like this:

HttpContext.Current.Response.Headers.Add("Set-Cookie", string.Format("{0}={1}; Max-Age={2}; Path=/", "EPiSessionId", sessionId, duration));

And that is done in the Application_BeginRequest event.

As you can see it is directly setting the Set-Cookie header and not using the response cookies collection.

#224650
Jun 24, 2020 6:44
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.