locked
Request header having ASP.NET_SessionId cookie even after renaming RRS feed

  • Question

  • User1284890338 posted

    Hi All,

    I have a asp.net application hosted on IIS7. Since there were security issues reported by security team, it was asked to rename ASP.NET_SessionId cookie so that this name doesn't appear in headers. I have made below changes and things worked fine as long as i hit the server directly with server name in the URL like servername/appfolder/default.aspx

    <sessionState mode="InProc" customProvider="DefaultSessionProvider" cookieName =" CookieName_">

      1. RESPONSE HEADER
      2. CookieName_=tzxsj2ot4dgzhxi1xyaz334n; path=/; HttpOnly
      3. max-age=31536000
      4. X-Frame-Options:SAMEORIGIN
    1. Request Headers
      1. Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
      2. Accept-Encoding:gzip, deflate
      3. Accept-Language:en-US,en;q=0.9
      4. Connection:keep-alive
      5. Cookie:CookieName_=adklvkh5mfd2ncj5bu4gx3l0

    But since my server is under a load balancer, when i am hitting load balancer URL to access the site, it still has ASP.NET_SessionId cookie along with CookieName_ cookie and few more. I don't know why i have all these present in Request header, response header seems to be fine.

      1. RESPONSE HEADER
      2. Set-Cookie:CookieName_=dfaqg34ud1t25s1ttyl5tlb3; path=/; HttpOnly
      3. Strict-Transport-Security:max-age=31536000
      4. X-Frame-Options:SAMEORIGIN
    1. Request Headers 
      1. Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
      2. Accept-Encoding:gzip, deflate, br
      3. Accept-Language:en-US,en;q=0.9
      4. Connection:keep-alive
      5. Cookie:s_fid=6A6B4F086AF5AB30-398FC71CD2A405B6; AMCV_8E391C8B533058250A490D4D%40AdobeOrg=-894706358%7CMCIDTS%7C17780%7CMCMID%7C20135125289062179468526589986389589454%7CMCAAMLH-1535561362%7C7%7CMCAAMB-1536171017%7CRKhpRz8krg2tLO6pguXWp5olkAcUniQYPHaMWWgdJ3xzPWQmdj0y%7CMCOPTOUT-1536178218s%7CNONE%7CMCAID%7CNONE%7CMCSYNCSOP%7C411-17773%7CvVersion%7C2.3.0; BIGipServerstage.test.com_80=qweqew54423722.44480.0000; ASP.NET_SessionId=gl023m3p1mr13cfjqtlsghpq; projectSearch={'ExpandedItems':['0','1']}; CookieName_=ixmyqrwqo2vstkclqf3on1ym
      6. DNT:1

    Any help on this please? I want to remove ASP.NET_SessionId cookie from request header.

    Thursday, September 13, 2018 3:58 PM

Answers

All replies

  • User475983607 posted

    I assume you are seeing Session Cookies created before the change or you have not changed configuration on all the load balanced applications.

    Try deleting all cookies, close the browser, and retry,

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, September 13, 2018 4:07 PM
  • User1284890338 posted

    Thanks for quick response mgebhard.

    Yes, the issue was with clearing the cookies ( i made sure configuration on all servers was same) on my browser, i know it is silly :)

    Thanks anyway.

    Just last thing, when i just give the URL of my load balancer server i.e. test.com (without app path i.e. /app/deafult.aspx), it servers me default IIS image. From where does it server that?

    I tried deleting this image from C:/inetpub/wwwroot/welcome but it still server this image.

    Thursday, September 13, 2018 4:31 PM
  • User475983607 posted

    Just last thing, when i just give the URL of my load balancer server i.e. test.com (without app path i.e. /app/deafult.aspx), it servers me default IIS image. From where does it server that?

    I'm not sure what you're asking.  I think the issue is related to IIS configuration where you've configured a default application on port 80 or 443 without content.  Then configured an application or virtual application within the empty default application.

    See IIS support documentation for configuring IIS.

    https://docs.microsoft.com/en-us/iis/application-frameworks/scenario-build-an-aspnet-website-on-iis/configure-an-asp-net-website-on-iis

    https://msdn.microsoft.com/en-us/library/bb763173%28v=vs.100%29.aspx?f=255&MSPPError=-2147217396

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, September 13, 2018 5:13 PM
  • User1284890338 posted

    I figured out that there was different configuration on two nodes, in one node default application was pointing to %systemdrive% but in other it was another physical drive.

    Thursday, September 13, 2018 9:01 PM