Jerry Orman

Adventures in SharePoint
Follow me on Twitter!
Options
Search Blogs
  • Advanced search options...
Tags
Archive
Archives

Session loss after migrating to ASP.NET 2.0

MSDN Blogs > Jerry Orman > Session loss after migrating to ASP.NET 2.0

Session loss after migrating to ASP.NET 2.0

5 Mar 2006 4:20 PM
  • Comments 1

The HttpOnly attribute has been added to the Session cookie generated by ASP.NET 2.0.  This value is hardcoded and cannot be changed via a setting in the application.  While this is documented as a breaking change in the breaking changes document (linked below), it's not clear the types of symptoms you will see in your application, nor is the fix clearly stated.

void Application_EndRequest(object sender, EventArgs e)
{
     if (Response.Cookies.Count > 0)
     {
          foreach (string s in Response.Cookies.AllKeys)
          {
               if (s == FormsAuthentication.FormsCookieName || s.ToLower() == "asp.net_sessionid")
               {
                    Response.Cookies[s].HttpOnly = false;
               }
          }
     }
}

You could also roll this into a custom HttpModule to apply it across multiple applications if necessary.

Link to breaking changes document:
http://msdn.microsoft.com/netframework/programming/breakingchanges/runtime/aspnet.aspx

Link to HttpOnly Attribute:
http://msdn2.microsoft.com/en-us/library/system.web.httpcookie.httponly.aspx

Link to HttpModule documentation:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconhttpmodules.asp

Special thanks to Shai Zohar for helping isolate the issue as well as testing the above solution.

Comments
  • 9 Jun 2006 12:10 AM
    Hi, I have exactly this problems with asp.net 2.0.  The application I'm running is in vb.net, and have this sub:

    Public Sub OnEndRequest(ByVal s As Object, ByVal e As EventArgs)
               Dim Context As HttpContext = CType(s, HttpApplication).Context
               Dim Response As HttpResponse = Context.Response
               'avoid adding to .net 2 as httpOnlyCookies default to true in 2.0
               If System.Environment.Version.Major < 2 Then
                   Const HTTPONLYSTRING As String = ";HttpOnly"
                   For Each cookie As String In Response.Cookies
                       Dim path As String = Response.Cookies(cookie).Path
                       If path.EndsWith(HTTPONLYSTRING) = False Then
                           'append HttpOnly to cookie
                           Response.Cookies(cookie).Path += HTTPONLYSTRING
                       End If
                   Next
               End If
    End Sub

    I have no experience with asp.net, so don't understand if it is actually a vb version of what you post, but this one is working for asp.net 1.x.  Do you think I need to modify this sub in some way?
    Thanks!
Page 1 of 1 (1 items)
Leave a Comment
  • Please add 6 and 5 and type the answer here:
  • Post