After a security audit I got the requirement to set the cookie ASP.NET_sessionID as

Question

0

Editorial Team

Asked: June 11, 20262026-06-11T03:39:25+00:00 2026-06-11T03:39:25+00:00

After a security audit I got the requirement to set the cookie ASP.NET_sessionID as

0

After a security audit I got the requirement to set the cookie ASP.NET_sessionID as “secure”.

Right now the flag is not set.

Can I use SessionIDManager to set it as secure? I am already using it to change the value of the Session cookie after logging in with this code:

            System.Web.SessionState.SessionIDManager manager = new System.Web.SessionState.SessionIDManager();
            string oldId = manager.GetSessionID(System.Web.HttpContext.Current);
            string newId = manager.CreateSessionID(System.Web.HttpContext.Current);
            bool isAdd = false, isRedir = false;
            manager.SaveSessionID(System.Web.HttpContext.Current, newId, out isRedir, out isAdd);

EDIT

I saw that I can set

<httpCookies httpOnlyCookies="false" requireSSL="true" />

But I only want to have this one cookie secure

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-06-11T03:39:27+00:00

Editorial Team

2026-06-11T03:39:27+00:00Added an answer on June 11, 2026 at 3:39 am

This should enable you to set the cookie as secure:

void Application_EndRequest(object sender, EventArgs e)
{
    var sessionCookieKey = Response.Cookies.AllKeys.SingleOrDefault(c => c.ToLower() == "asp.net_sessionid");
    var sessionCookie = Response.Cookies.Get(sessionCookieKey);
    if(sessionCookie != null)
    {
        sessionCookie.Secure = true;
    }
}

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

After a security audit I got the requirement to set the cookie ASP.NET_sessionID as

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply