How is HttpOnly get set for ASP.NET_SessionId cookie?

In my web project setting to turn on httpOnlyCookies is not there. It is false by default. Also there is no place in code where cookie is being set to HttpOnly. However, when I browse to the site I can see that ASP.NET_Session cookie is being passed as HttpOnly. How is it set to HttpOnly?


Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

ASP.NET session cookies are HTTP only, regardless of the httpOnlyCookies setting linked to in your question, because this is burned into ASP.NET. You can’t override this.

If you dig into the System.Web.SessionState.SessionIDManager class in the System.Web assembly the code for creating the ASP.NET session cookie looks like:

private static HttpCookie CreateSessionCookie(string id)
    HttpCookie cookie = new HttpCookie(Config.CookieName, id);
    cookie.Path = "/";
    cookie.HttpOnly = true;   // <-- burned in
    return cookie;

Method 2

It is HttpOnly so your session cookie cannot be modified by the client with JavaScript.

All methods was sourced from or, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

0 0 votes
Article Rating
Notify of

Inline Feedbacks
View all comments
Would love your thoughts, please comment.x