Separate Applications Sharing the Same ASP.Net Session Cookie

Question

I've got two ASP.Net applications residing in two different folders on my server:

• /Foo <-- this is the standard unsecure application
• /Secure <-- this is a separate application that requires SSL by IIS

The problem is that by default, the ASP.NET_SessionId cookie is specified on the domain and is shared between the two applications in different directories. I need the session cookie to be different because I can't allow a hijacked cookie on /Foo to be used to grant access to the /Secure application.

Ideally, I would like each application's cookie to be limited by the cookie Path property. There's apparently no way to do this in .Net out of the box.

As an added headache, even if I write custom code to set the cookie path, I'm fearful that some browsers are case sensitive and won't use the same session cookie for /Foo and /foo, which, depending on how the links are built, can result in multiple sessions in the same application.

Has anyone encountered and overcome this issue?

Answer 1

In .Net 2.0 and above, you can set the "cookieName" attribute of the "sessionState" XML element in your web.config to different values for each of your applications. That will keep them from using the same session ID.

Here's the MSDN reference for this.

Answer 2

Check the icon for your /Secure folder in IIS.

If it has a cog icon then it's a seperate application and the sessions should be different and the app will run in it's own appdomain.

If it's a globe icon then it's a virtual directory and will share the same session as the root site and /Foo.