locked
Can we change the path of Asp.netsessionid cookie? RRS feed

  • Question

  • User1804038735 posted
    Hi currently in our website we are having a single page. Is ot possible to change the ASP.NETSessionIs cookie path to a particular folder only?
    And what will be the side effect for this?

    Is this a best practice to change the path for securing this particular cookie?
    Wednesday, December 11, 2019 5:16 AM

All replies

  • User-1340885213 posted

    The "cookieNam" is an Attribute, it is new in the .NET Framework version 2.0. The default is "ASP.NET_SessionId".

    For each of your applications you can set the "cookieName" attribute of the "sessionState" XML element in your web.config to different values.

    https://docs.microsoft.com/en-us/previous-versions/dotnet/netframework-4.0/h6bb9cz9(v=vs.100)?redirectedfrom=MSDN

    Wednesday, December 11, 2019 10:51 AM
  • User1804038735 posted
    My question was different. Is it a best practice to change the path of the asp.netsessionid as it is put by .net framework itself. And if I am trying to change the path of the same, it was created with another one with the custom path. 😕
    Wednesday, December 11, 2019 2:12 PM
  • User475983607 posted

    My question was different. Is it a best practice to change the path of the asp.netsessionid as it is put by .net framework itself. And if I am trying to change the path of the same, it was created with another one with the custom path.

    The standard docs cover cookie path.

    https://docs.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms525506(v%3Dvs.90)#setting-cookie-paths

    Wednesday, December 11, 2019 2:28 PM
  • User1804038735 posted
    Thanks for the URL. But here it is all about the custom cookies. My question is simple. Do we need to change the path of the ASP.netsessid cookie as ita default path is root. And if I change the path can I access the session s in my root level?
    Wednesday, December 11, 2019 2:37 PM
  • User475983607 posted

    Arkadeep De

    Thanks for the URL. But here it is all about the custom cookies. My question is simple. Do we need to change the path of the ASP.netsessid cookie as ita default path is root. And if I change the path can I access the session s in my root level?

    Session uses a cookie. 

    Are you trying to share Session across applications? 

    Wednesday, December 11, 2019 3:11 PM
  • User-1340885213 posted

    NO.

    I Don't think it as a best practice, because you need to work extra either on EndRequest Event handler, or on HttpModule and also in your global.asax file.

    You may have a look at the following link.

    https://port135.com/2016/02/04/best-practices-for-session-state-and-cookies-in-asp-net-application/

    Wednesday, December 11, 2019 3:32 PM
  • User1804038735 posted
    Nope. There is only one application.
    Wednesday, December 11, 2019 4:08 PM
  • User-719153870 posted

    Hi Arkadeep De,

    About session security, you can refer to this very detailed article: Ramping up ASP.NET session security.

    "ASP.NET has two ways of transmitting session IDs back and forth to the browser, either embedded in the url or through a session cookie. "

    If you are talking about the embedded in the url situation, please refer to HttpCookie.Path and mapped urls while your application has one single page then i guess this is not what you want?

    In another situation, then that's even more puzzling, the ASP.Net _Sessionid cookie is not persisted on your hard disk and it gets discarded when you close the broswer. Please check ASP.NET Cookies Overview and you will see it in the Note. As far as i know, this cookie is automatically generated and you are not able to change it.

    Best Regard,

    Yang Shen

    Thursday, December 12, 2019 5:30 AM