Hello,
is there any reason (safety?) why someone should rename the ASP.NET Session Cookie Name or is it just a senseless option of ASP.NET?
A:
1) It might (slightly) slow someone down who is (casually) looking for it.
2) You might want to hide the fact that you are running ASP.NET
UpTheCreek
2009-08-18 08:05:00
2) may be true, but the first giveaway for ASP.NET will be in the rendered markup and id mangling
Russ Cam
2009-08-18 08:10:05
+2
A:
If you have several applications running under the same domain on the same server, you may well want to have seperate session cookie names for each one, so that they aren't sharing the same session state or worse still overwriting each other.
See also the notes for the Forms Auth cookie name:
Specifies the HTTP cookie to use for authentication. If multiple applications are running on a single server and each application requires a unique cookie, you must configure the cookie name in each Web.config file for each application.
Zhaph - Ben Duguid
2009-08-18 08:17:21
I am not an ASP.NET expert, but doesn't it set the cookie 'path' parameter accordingly when using multiple apps under the same domain?
Ferdinand Beyer
2009-08-18 08:21:18
@Ferdinand Beyer - it might do, but there isn't a "path" or even "domain" attribute on the session state configuration - note that the Forms Auth cookie Path notes say "The default is a slash (/), because most browsers are case-sensitive and will not send cookies back, if there is a path case mismatch.". You're opening yourself to a potential world of pain there.
Zhaph - Ben Duguid
2009-08-18 08:26:44
A:
I think its mainly a matter of taste. Some people/companies want control every aspect of their web apps and might just use another name for consistency with other cookie names. For example, if you use very short one-character parameter names throughout your app you might not like session cookie names like ASPSESSID.
Security reasons might apply but security through obscurity is rather weak in my opinion.
Ferdinand Beyer
2009-08-18 08:19:04