How can I force IIS/.Net/Azure to stop dispensing the WAWebSiteSID cookie with its responses?
My website hosts static images. When a third party website (using another domain) requests those images directly from my website, the FireFox browser issues this error:
Cookie “WAWebSiteSID” has been rejected because it is foreign and does not have the “Partitioned“ attribute.
That is what I wish to prevent. I've tried adding:
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Arr-Disable-Session-Affinity" value="True" />
<remove name="Server" />
<remove name="X-AspNet-Version" />
<remove name="X-Powered-By" />
</customHeaders>
</httpProtocol>
</system.webServer>
...which does eliminate a few superfluous headers, but the WAWebSiteSID cookie continues to be issued. I've also executed Current.Response.Cookies.Clear()
in the EndRequest event, but, of course, it's not my code adding the cookie, so that doesn't help, either.
I've looked at Prevent Azure Website to set WAWebSiteID and ARRAffinity cookies, but that doesn't answer the question. Neither does What is the exact purpose of Azure cookie 'WAWebSiteSID'?.
Can you help?
My hosting company verified that the cookie in question was being added by their load-balancing appliance. It has nothing to do with the IIS server.