asp.net-coresession-cookiesrazor-pagessession-fixation

How to clear/reset/renew Session Cookie in ASP.net core (Razor pages) app on login or logout


I am trying to get a new value for the Session Cookie for every new login. Basically, the value in the screenshot below should have a new random string every time a user logs in. This is to avoid Session Fixation.

I have tried the following :

On login :

Response.Cookies.Delete(".AspNetCore.Session");

HttpContext.Request.Cookies[".AspNetCore.Session"] = "123132" //does not allow to be set

On log out :

HttpContext.Session.Clear();

Response.Clear();

Session.Abandon() // Abandon is no longer available

But the value of the Session Cookie just does not change. Any guidance is greatly appreciated.

Session Cookie on Browser Inspect


Solution

  • Try to use Response.Cookies.Delete(".AspNetCore.Session"); in Logout to delete the cookie

    Below is a work demo, you can refer to it,

    On login :

    Response.Cookies.Append("Test_cookie", "yo");
    

    On log out :

     Response.Cookies.Delete("Test_cookie");
    

    Result:

    enter image description here