In my web project setting to turn on httpOnlyCookies is not there. It is

Question

0

Asked: May 13, 20262026-05-13T19:17:59+00:00 2026-05-13T19:17:59+00:00

In my web project setting to turn on httpOnlyCookies is not there. It is

0

In my web project setting to turn on httpOnlyCookies is not there. It is false by default. Also there is no place in code where cookie is being set to HttpOnly. However, when I browse to the site I can see that ASP.NET_Session cookie is being passed as HttpOnly. How is it set to HttpOnly?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-13T19:17:59+00:00

ASP.NET session cookies are HTTP only, regardless of the httpOnlyCookies setting linked to in your question, because this is burned into ASP.NET. You can’t override this.

If you dig into the System.Web.SessionState.SessionIDManager class in the System.Web assembly the code for creating the ASP.NET session cookie looks like:

private static HttpCookie CreateSessionCookie(string id)
{
    HttpCookie cookie = new HttpCookie(Config.CookieName, id);
    cookie.Path = "/";
    cookie.HttpOnly = true;   // <-- burned in
    return cookie;
}

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

In my web project setting to turn on httpOnlyCookies is not there. It is

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply