Share via

Session loss after migrating to ASP.NET 2.0

The HttpOnly attribute has been added to the Session cookie generated by ASP.NET 2.0. This value is hardcoded and cannot be changed via a setting in the application. While this is documented as a breaking change in the breaking changes document (linked below), it's not clear the types of symptoms you will see in your application, nor is the fix clearly stated.

void Application_EndRequest(object sender, EventArgs e){ if (Response.Cookies.Count > 0) {          foreach (string s in Response.Cookies.AllKeys) { if (s == FormsAuthentication.FormsCookieName || s.ToLower() == "asp.net_sessionid") { Response.Cookies[s].HttpOnly = false; } } }}

You could also roll this into a custom HttpModule to apply it across multiple applications if necessary.

Link to breaking changes document:
https://msdn.microsoft.com/netframework/programming/breakingchanges/runtime/aspnet.aspx

Link to HttpOnly Attribute:
https://msdn2.microsoft.com/en-us/library/system.web.httpcookie.httponly.aspx

Link to HttpModule documentation:
https://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconhttpmodules.asp

Special thanks to Shai Zohar for helping isolate the issue as well as testing the above solution.

Comments

  • Anonymous
    June 08, 2006
    Hi, I have exactly this problems with asp.net 2.0.  The application I'm running is in vb.net, and have this sub:

    Public Sub OnEndRequest(ByVal s As Object, ByVal e As EventArgs)
               Dim Context As HttpContext = CType(s, HttpApplication).Context
               Dim Response As HttpResponse = Context.Response
               'avoid adding to .net 2 as httpOnlyCookies default to true in 2.0
               If System.Environment.Version.Major < 2 Then
                   Const HTTPONLYSTRING As String = ";HttpOnly"
                   For Each cookie As String In Response.Cookies
                       Dim path As String = Response.Cookies(cookie).Path
                       If path.EndsWith(HTTPONLYSTRING) = False Then
                           'append HttpOnly to cookie
                           Response.Cookies(cookie).Path += HTTPONLYSTRING
                       End If
                   Next
               End If
    End Sub

    I have no experience with asp.net, so don't understand if it is actually a vb version of what you post, but this one is working for asp.net 1.x.  Do you think I need to modify this sub in some way?
    Thanks!
  • Anonymous
    November 03, 2015
    what is the solution for the session loss thats happening after migration ?