Welcome to MSDN Blogs Sign in | Join | Help

Session loss after migrating to ASP.NET 2.0

The HttpOnly attribute has been added to the Session cookie generated by ASP.NET 2.0.  This value is hardcoded and cannot be changed via a setting in the application.  While this is documented as a breaking change in the breaking changes document (linked below), it's not clear the types of symptoms you will see in your application, nor is the fix clearly stated.

void Application_EndRequest(object sender, EventArgs e)
{
     if (Response.Cookies.Count > 0)
     {
          foreach (string s in Response.Cookies.AllKeys)
          {
               if (s == FormsAuthentication.FormsCookieName || s.ToLower() == "asp.net_sessionid")
               {
                    Response.Cookies[s].HttpOnly = false;
               }
          }
     }
}

You could also roll this into a custom HttpModule to apply it across multiple applications if necessary.

Link to breaking changes document:
http://msdn.microsoft.com/netframework/programming/breakingchanges/runtime/aspnet.aspx

Link to HttpOnly Attribute:
http://msdn2.microsoft.com/en-us/library/system.web.httpcookie.httponly.aspx

Link to HttpModule documentation:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconhttpmodules.asp

Special thanks to Shai Zohar for helping isolate the issue as well as testing the above solution.

Published Sunday, March 05, 2006 3:20 PM by Jorman
Filed under:

Comments

Friday, June 09, 2006 12:10 AM by lsilman

# re: Session loss after migrating to ASP.NET 2.0

Hi, I have exactly this problems with asp.net 2.0.  The application I'm running is in vb.net, and have this sub:

Public Sub OnEndRequest(ByVal s As Object, ByVal e As EventArgs)
           Dim Context As HttpContext = CType(s, HttpApplication).Context
           Dim Response As HttpResponse = Context.Response
           'avoid adding to .net 2 as httpOnlyCookies default to true in 2.0
           If System.Environment.Version.Major < 2 Then
               Const HTTPONLYSTRING As String = ";HttpOnly"
               For Each cookie As String In Response.Cookies
                   Dim path As String = Response.Cookies(cookie).Path
                   If path.EndsWith(HTTPONLYSTRING) = False Then
                       'append HttpOnly to cookie
                       Response.Cookies(cookie).Path += HTTPONLYSTRING
                   End If
               Next
           End If
End Sub

I have no experience with asp.net, so don't understand if it is actually a vb version of what you post, but this one is working for asp.net 1.x.  Do you think I need to modify this sub in some way?
Thanks!
Anonymous comments are disabled
 
Page view tracker