I have set the .ASPXAUTH cookie to be https only but I am not

Question

0

Asked: May 22, 20262026-05-22T00:55:27+00:00 2026-05-22T00:55:27+00:00

I have set the .ASPXAUTH cookie to be https only but I am not

0

I have set the .ASPXAUTH cookie to be https only but I am not sure how to effectively do the same with the ASP.NET_SessionId.

The entire site uses HTTPS so there is no need for the cookie to work with both http and https.

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-22T00:55:28+00:00

Here is a code snippet taken from a blog article written by Anubhav Goyal:

// this code will mark the forms authentication cookie and the
// session cookie as Secure.
if (Response.Cookies.Count > 0)
{
    foreach (string s in Response.Cookies.AllKeys)
    {
        if (s == FormsAuthentication.FormsCookieName || "asp.net_sessionid".Equals(s, StringComparison.InvariantCultureIgnoreCase))
        {
             Response.Cookies[s].Secure = true;
        }
    }
}

Adding this to the EndRequest event handler in the global.asax should make this happen for all page calls.

Note: An edit was proposed to add a break; statement inside a successful “secure” assignment. I’ve rejected this edit based on the idea that it would only allow 1 of the cookies to be forced to secure and the second would be ignored. It is not inconceivable to add a counter or some other metric to determine that both have been secured and to break at that point.

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I have set the .ASPXAUTH cookie to be https only but I am not

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply