Session state and session cookies best practices

Best practices for the session state:

  • Change the default session ID name. In ASP.NET, the default name is ASP.NET_SessionId. This immediately gives away that the application is ASP.NET and that that cookie contains the session ID value
  • Make sure the length of the session ID is long enough to prevent brute force attacks. Recommended length is 128 bits
  • Make sure to create the session ID in a completely random way. This ensures that attackers can’t guess the session ID by using predictability analysis
  • Ensure that the session ID does not contain any additional sensitive data. The data should be a random string of characters with no meaning
  • HTTPS should be used for all session based applications handling sensitive data
  • Session cookies should be created with the Secure and HttpOnly attributes
  • Prevent concurrent sessions where possible
  • Destroy sessions upon timeout, logoff, browser close or log-in from a separate location


Best practices for the session cookies:

  • Do not store any critical information in cookies. For example, do not store a user’s password in a cookie. As a rule, do not keep anything in a cookie that can compromise your application. Instead, keep a reference in the cookie to a location on the server where the data is
  • Set expiration dates on cookies to the shortest practical time. Avoid using permanent cookies
  • Consider encrypting information in cookies
  • Consider setting the Secure and HttpOnly properties on the cookie to true

Here are a few examples of implementing best practices for cookies:

Web.config file:

    <sessionState regenerateExpiredSessionId="false" cookieless="UseCookies" cookieName="id" />

Code-behind file:

Response.Cookies.Add(new HttpCookie("id", ""));
Response.Cookies["id"].HttpOnly = true;
Response.Cookies["id"].Secure = Convert.ToBoolean(ConfigurationManager.AppSettings["SecureCookie"]);




Feel free to share:)