How to change the ASP.NET session ID cookie path?

Question

User1752568267 posted

Hello,

I'd like to be able to change the path associated with the ASP.NET session ID cookie.  That is, the cookie associated with the sessionState config.  This question has been asked before.  Examples I found were:

https://forums.asp.net/t/2154216.aspx?ASP+NET_SessionId+Cookie+override+the+path

https://stackoverflow.com/questions/2513742/setting-path-and-expiration-for-session-cookie-in-asp-net

https://www.thecodingforums.com/threads/how-to-change-the-path-of-the-session-cookie-asp-net_sessionid.122019/

I tried the first of these, and it worked - sometimes.  But, I ran into the problem referenced by the 3rd post:

"Because an http cookie is idenitified by name,path and domain combined,
changing only the path effectively creates another cookie. As a result
different strange errors occur on the site"

I didn't understand the solution proposed in the second post:

private static HttpCookie CreateSessionCookie(string id) { HttpCookie cookie = new HttpCookie(Config.CookieName, id); cookie.Path = "/"; cookie.HttpOnly = true; return cookie; }

Setting the cookie name is easy, thanks to the SessionState cookieName config. But setting the path is something I'm struggling to find a way to reliably set.

Any other approaches I can try?

Thank you

Answer 1

User475983607 posted

Can you tell us what problem setting the Session cookie path solves? 

Answer 2

User1752568267 posted

My web application is one of several on the same domain, hosted in a series of iframes. To avoid sending extra cookies from the sibling applications on the same domain with every request, we're trying to set the path for most cookies so they don't get shared (unless we explicitly want to share cookies).  Setting a path on user defined cookies is fine, as is the form's authentication cookie, since the Forms authentication config conveniently has a path attribute.  But, I'm not having much luck trying to set the ASP.NET session ID cookie's path, so that it's only included on requests that are related to my application (and not all the other sibling applications on the same domain, hosted in the various iframes).

Answer 3

User-719153870 posted

Hi Notre_Poubelle,

Notre_Poubelle

I'm not having much luck trying to set the ASP.NET session ID cookie's path

As far as i know, the ASP.NET SessioonID is automatically generated by ASP.NET when your application first time accessed over browser as a session cookie, which means that each time you refresh or close the page, the SessionID cookie will be deleted and a new one will be created.

In my opinion, it's not necessary to control the ASP.NET SessionID cookie.

Please refer to Http Session State. SessionID Property and ASP.NET_SessionId Cookie.

Best Regard,

Yang Shen

Answer 4

User1752568267 posted

Hi Yang,

I think you are mostly correct - the ASP.NET session ID is automatically created by ASP.NET when the application is first accessed, and deleted when the user closes the browser.  Depending on the browser and the use, it actually may require closing the entire browser, not just the active tab.  (If you're using a Session in Internet Explorer, or Incognito mode/private browsing, closing just those windows or tabs may be sufficient, but for many browsers cookies are persisted until the browser is completely closed).  I'm not sure about a page refresh; I think in most cases the session cookie would be persisted across the refresh.

At any rate, regardless of whether the cookie persists until the browser is closed or not, it sticks around for the entire "session" of the application.  In my scenario, I have multiple applications (in iframes) each with their own set of cookies, including session cookies.  Since they are on the same domain, all the cookies (across all the applications) are actually present for all the applications.  Any application in the set of related applications sharing the common domain, will include in its requests all of the cookies that are on the common domain with the same root cookie path.  Why do I care?  Because it makes the cookie size & cookie number large in each request.  And that can impact performance.  This is discussed in some detail here:

https://www.thisisoptimal.com/performance/cookies-and-performance/

So, how can avoid this performance hit with cookies?  Reduce the number and size of cookies.  Each application on its own has a reasonable number of cookies. The forms authentication cookie is pretty big in ASP.NET by default - 492 bytes.  The recommendation is to keep the cookies size to 1 KB or less.  Almost half is already used, by a single cookie for one application.  We can't reasonably shrink this cookie, but what we can do is modify the path so that the cookie isn't included in most requests; it is included only in requests related to application that actually needs it.  By doing this for every cookie, for all the applications, we can effectively reduce the number of cookie (and total size) in most requests.  This is my goal also for the ASP.NET session Id cookie.  The good news is, this cookie is smaller than the ASP.NET forms authentication cookie.  But on principal, it's best to segment stuff as much possible, otherwise eventually I'll run above the recommended size, and performance will be impacted.

EDIT: Theoretically, all the applications in iframes could be on separate domains.  This is what we're doing today.  This would also segment the cookies, rather than relying on the path.  The problem with using different domains is that same origin policy restricts what can be done in terms of interactions between the applications, resulting in a degraded user experience.

Thanks,

Notre

Answer 5

User1752568267 posted

Yang Shen and mgebhard, is it clearer now the reason I want to change the ASP.NET session ID cookie path?  Do either of you (or anyone else) know of a way to accomplish this?

Thanks,

Notre

Answer 6

User-719153870 posted

Hi Notre_Poubelle,

Seems there's a way to accomplish it. You will need to create your own SessionIDManager, please refer to SessionIDManager.cs and you can see the cookie.Path is hard coded:

static HttpCookie CreateSessionCookie(String id) {
            HttpCookie  cookie;
 
            cookie = new HttpCookie(Config.CookieName, id);
            cookie.Path = "/";
            cookie.SameSite = Config.CookieSameSite;
 
            // VSWhidbey 414687 Use HttpOnly to prevent client side script manipulation of cookie
            cookie.HttpOnly = true;
 
            return cookie;
        }

As you can see, you need to create your own SessionIDManager which is inherited from ISessionIDManger and change the cookie.Path to whatever you want.

As for the thread https://forums.asp.net/t/2154216.aspx you mentioned in your first post, below method is called repeatedly since the cookie has been configured once in the source code.

base.SaveSessionID(context, id, out redirected, out cookieAdded);

Best Regard,

Yang Shen