Session loss after migrating to ASP.NET 2.0

The HttpOnly attribute has been added to the Session cookie generated by ASP.NET 2.0.  This value is hardcoded and cannot be changed via a setting in the application.  While this is documented as a breaking change in the breaking changes document (linked below), it's not clear the types of symptoms you will see in your application, nor is the fix clearly stated.

void Application_EndRequest(object sender, EventArgs e)
     if (Response.Cookies.Count > 0)
          foreach (string s in Response.Cookies.AllKeys)
               if (s == FormsAuthentication.FormsCookieName || s.ToLower() == "asp.net_sessionid")
                    Response.Cookies[s].HttpOnly = false;

You could also roll this into a custom HttpModule to apply it across multiple applications if necessary.

Link to breaking changes document:

Link to HttpOnly Attribute:

Link to HttpModule documentation:

Special thanks to Shai Zohar for helping isolate the issue as well as testing the above solution.

Comments (2)
  1. lsilman says:

    Hi, I have exactly this problems with 2.0.  The application I’m running is in, and have this sub:

    Public Sub OnEndRequest(ByVal s As Object, ByVal e As EventArgs)

               Dim Context As HttpContext = CType(s, HttpApplication).Context

               Dim Response As HttpResponse = Context.Response

               ‘avoid adding to .net 2 as httpOnlyCookies default to true in 2.0

               If System.Environment.Version.Major < 2 Then

                   Const HTTPONLYSTRING As String = ";HttpOnly"

                   For Each cookie As String In Response.Cookies

                       Dim path As String = Response.Cookies(cookie).Path

                       If path.EndsWith(HTTPONLYSTRING) = False Then

                           ‘append HttpOnly to cookie

                           Response.Cookies(cookie).Path += HTTPONLYSTRING

                       End If


               End If

    End Sub

    I have no experience with, so don’t understand if it is actually a vb version of what you post, but this one is working for 1.x.  Do you think I need to modify this sub in some way?


  2. bharath says:

    what is the solution for the session loss thats happening after migration


Comments are closed.

Skip to main content