Menu
I've got two ASP.Net applications residing in two different folders on my server:
/Foo <-- this is the standard unsecure application/Secure <-- this is a separate application that requires SSL by IISThe problem is that by default, the ASP.NET_SessionId cookie is specified on the domain and is shared between the two applications in different directories. I need the session cookie to be different because I can't allow a hijacked cookie on /Foo to be used to grant access to the /Secure application.
Ideally, I would like each application's cookie to be limited by the cookie Path property. There's apparently no way to do this in .Net out of the box.
As an added headache, even if I write custom code to set the cookie path, I'm fearful that some browsers are case sensitive and won't use the same session cookie for /Foo and /foo, which, depending on how the links are built, can result in multiple sessions in the same application.
Has anyone encountered and overcome this issue?
859
Each time that ASP receives a request for a page, it checks the HTTP request header for a SessionID cookie. After storing the SessionID cookie in the user's browser, ASP reuses the same cookie to track the session, even if the user requests another .
Cookie description: ASP. Net_SessionId is a cookie which is used to identify the users session on the server. The session being an area on the server which can be used to store session state in between http requests.
Session. .AspNet.ApplicationCookie. ASP.NET application identity. Identifies an individual user session for the purposes of enabling authentication. Additionally stores the Passport authentication token for the logged in user and the id of the application that the user is accessing.
NET Web API. Cookies are used for storing the user-specific information. For example, if a user visits a site then we use the cookie for storing the preference or other information. And when the user visits the same site again then it find the information that was stored earlier.
In .Net 2.0 and above, you can set the "cookieName" attribute of the "sessionState" XML element in your web.config to different values for each of your applications. That will keep them from using the same session ID.
Here's the MSDN reference for this.
190
Check the icon for your /Secure folder in IIS.
If it has a cog icon then it's a seperate application and the sessions should be different and the app will run in it's own appdomain.
If it's a globe icon then it's a virtual directory and will share the same session as the root site and /Foo.
33
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
