ASP.NET_SessionId is missing

I lose ASP.NET_SessionId when switching between pages on my site. The problem occurs in Chrome / Firefox / Safari. This does not happen in IE. This is pretty weird ... here is my scenario.

You can access my site by entering www.example.org or example.org in a browser (this is an important piece of information that you will see).

Enter example.org. On my homepage, I visited my site (note: I do not use ASP.NET forms authentication). I am sent to my default user page (e.g. userpage.aspx). On this page, I click <a> , which sends me to another page on my site. The <a> link is complete (e.g. http://www.example.org/page2.aspx ). When they send me to a new page, my session will be lost!

So, I started Fiddler to try to detect the problem. What I found was interesting. The request header header tag was lost between pages.

Here are the steps:

Lost ASP.NET_SessionId is constantly lost in Chrome / Firefox / Safari. This does not happen in IE.

If you repeat the above steps, replacing example.org with www.example.org, ASP.NET_SessionId will not be lost. It works correctly every time.

Any thoughts on this behavior?

+6
source share
2 answers

Add this to your web.config under the <system.web> Element

  <httpCookies domain = ". mysite.com" />

See if there are any changes in behavior. It seems like the subdomains are failing, although I thought the cookie was based on the root domain to start with. this should force him that way.

+6
source

In my case, the following problem occurred:

In my local Visual Studio environment, my development file "web.config" accidentally contained the following:

 <configuration> <system.web> <httpCookies requireSSL="true" /> </system.web> </configuration> 

Since the development of IIS Express runs on http://localhost:7561 , which is not HTTPS, this check launches in order not to set / not accept cookies, including session identifier cookies.

The solution was to simply comment out the line <httpCookies requireSSL="true" /> .


Another similar issue that I could have imagined was the Content-Security-Policy HTML meta tag, which also controls the processing of cookies , can also be configured to not allow session ID cookies.

0
source

Source: https://habr.com/ru/post/912399/


All Articles