Home
%3CLINGO-SUB%20id%3D%22lingo-sub-714333%22%20slang%3D%22en-US%22%3ESession%20state%20and%20session%20cookies%20best%20practices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-714333%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3EBest%20practices%20for%20the%20session%20state%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EChange%20the%20default%20session%20ID%20name.%20In%20ASP.NET%2C%20the%20default%20name%20is%20ASP.NET_SessionId.%20This%20immediately%20gives%20away%20that%20the%20application%20is%20ASP.NET%20and%20that%20that%20cookie%20contains%20the%20session%20ID%20value%3C%2FLI%3E%0A%3CLI%3EMake%20sure%20the%20length%20of%20the%20session%20ID%20is%20long%20enough%20to%20prevent%20brute%20force%20attacks.%20Recommended%20length%20is%20128%20bits%3C%2FLI%3E%0A%3CLI%3EMake%20sure%20to%20create%20the%20session%20ID%20in%20a%20completely%20random%20way.%20This%20ensures%20that%20attackers%20can%E2%80%99t%20guess%20the%20session%20ID%20by%20using%20predictability%20analysis%3C%2FLI%3E%0A%3CLI%3EEnsure%20that%20the%20session%20ID%20does%20not%20contain%20any%20additional%20sensitive%20data.%20The%20data%20should%20be%20a%20random%20string%20of%20characters%20with%20no%20meaning%3C%2FLI%3E%0A%3CLI%3EHTTPS%20should%20be%20used%20for%20all%20session%20based%20applications%20handling%20sensitive%20data%3C%2FLI%3E%0A%3CLI%3ESession%20cookies%20should%20be%20created%20with%20the%20Secure%20and%3CCODE%3EHttpOnly%3C%2FCODE%3E%20attributes%3C%2FLI%3E%0A%3CLI%3EPrevent%20concurrent%20sessions%20where%20possible%3C%2FLI%3E%0A%3CLI%3EDestroy%20sessions%20upon%20timeout%2C%20logoff%2C%20browser%20close%20or%20log-in%20from%20a%20separate%20location%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EBest%20practices%20for%20the%20session%20cookies%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EDo%20not%20store%20any%20critical%20information%20in%20cookies.%20For%20example%2C%20do%20not%20store%20a%20user%E2%80%99s%20password%20in%20a%20cookie.%20As%20a%20rule%2C%20do%20not%20keep%20anything%20in%20a%20cookie%20that%20can%20compromise%20your%20application.%20Instead%2C%20keep%20a%20reference%20in%20the%20cookie%20to%20a%20location%20on%20the%20server%20where%20the%20data%20is%3C%2FLI%3E%0A%3CLI%3ESet%20expiration%20dates%20on%20cookies%20to%20the%20shortest%20practical%20time.%20Avoid%20using%20permanent%20cookies%3C%2FLI%3E%0A%3CLI%3EConsider%20encrypting%20information%20in%20cookies%3C%2FLI%3E%0A%3CLI%3EConsider%20setting%20the%20Secure%20and%20%3CCODE%3EHttpOnly%3C%2FCODE%3E%20properties%20on%20the%20cookie%20to%20true%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CH3%20id%3D%22toc-hId-1592259070%22%20id%3D%22toc-hId-1592259070%22%3E%26nbsp%3B%3C%2FH3%3E%0A%3CH3%20id%3D%22toc-hId--959897891%22%20id%3D%22toc-hId--959897891%22%3E%3CSTRONG%3EExample%3C%2FSTRONG%3E%3C%2FH3%3E%0A%3CP%3EHere%20are%20a%20few%20examples%20of%20implementing%20best%20practices%20for%20cookies%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWeb.config%20file%3A%3C%2FP%3E%0A%3CPRE%3E%3CSYSTEM.WEB%3E%3CBR%20%2F%3E%20%20%20%3CSESSIONSTATE%20regenerateexpiredsessionid%3D%22false%22%20cookieless%3D%22UseCookies%22%20cookiename%3D%22id%22%3E%3C%2FSESSIONSTATE%3E%3CBR%20%2F%3E%26lt%3B%2Fsystem.web%26gt%3B%3C%2FSYSTEM.WEB%3E%3C%2FPRE%3E%0A%3CP%3ECode-behind%20file%3A%3C%2FP%3E%0A%3CPRE%3EResponse.Cookies.Add(new%20HttpCookie(%22id%22%2C%20%22%22))%3B%3CBR%20%2F%3EResponse.Cookies%5B%22id%22%5D.HttpOnly%20%3D%20true%3B%3CBR%20%2F%3EResponse.Cookies%5B%22id%22%5D.Secure%20%3D%20Convert.ToBoolean(ConfigurationManager.AppSettings%5B%22SecureCookie%22%5D)%3B%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EReferences%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fmsdn.microsoft.com%252Fen-us%252Flibrary%252Fms178194.aspx%26amp%3Bdata%3D02%257C01%257CNedim.Sahin%2540microsoft.com%257C5cd7f17427f746f82fb008d6f669d2cc%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C636967331696339940%26amp%3Bsdata%3DQZaDd9AQOxwhwfsE0gZT5ot00ExH5J93oP9YFwQFsFE%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EASP.NET%20Cookies%20Overview%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fmsdn.microsoft.com%252Fen-us%252Flibrary%252Fzdh19h94.aspx%2523cpconbestsecuritypracticesforwebapplicationsanchor8%26amp%3Bdata%3D02%257C01%257CNedim.Sahin%2540microsoft.com%257C5cd7f17427f746f82fb008d6f669d2cc%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C636967331696339940%26amp%3Bsdata%3DzSF43baGDn%252FzjOLFUF%252BBSuxVwJRy2Ao4e%252FAHvIFzb5E%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EUse%20Cookies%20Securely%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-714333%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3EBest%20practices%20for%20the%20session%20state%20and%20session%20cookies%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-714333%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Esession%20cookies%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESession%20ID%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESession%20state%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

Best practices for the session state:

  • Change the default session ID name. In ASP.NET, the default name is ASP.NET_SessionId. This immediately gives away that the application is ASP.NET and that that cookie contains the session ID value
  • Make sure the length of the session ID is long enough to prevent brute force attacks. Recommended length is 128 bits
  • Make sure to create the session ID in a completely random way. This ensures that attackers can’t guess the session ID by using predictability analysis
  • Ensure that the session ID does not contain any additional sensitive data. The data should be a random string of characters with no meaning
  • HTTPS should be used for all session based applications handling sensitive data
  • Session cookies should be created with the Secure and HttpOnly attributes
  • Prevent concurrent sessions where possible
  • Destroy sessions upon timeout, logoff, browser close or log-in from a separate location

 

Best practices for the session cookies:

  • Do not store any critical information in cookies. For example, do not store a user’s password in a cookie. As a rule, do not keep anything in a cookie that can compromise your application. Instead, keep a reference in the cookie to a location on the server where the data is
  • Set expiration dates on cookies to the shortest practical time. Avoid using permanent cookies
  • Consider encrypting information in cookies
  • Consider setting the Secure and HttpOnly properties on the cookie to true

 

Example

Here are a few examples of implementing best practices for cookies:

 

Web.config file:

<system.web>
<sessionState regenerateExpiredSessionId="false" cookieless="UseCookies" cookieName="id" />
</system.web>

Code-behind file:

Response.Cookies.Add(new HttpCookie("id", ""));
Response.Cookies["id"].HttpOnly = true;
Response.Cookies["id"].Secure = Convert.ToBoolean(ConfigurationManager.AppSettings["SecureCookie"]);

 

References: