Two Set-Cookie headers for ASP.NET_SessionId

Question

I have an ASP.NET app that is returning two Set-Cookie headers for ASP.NET_SessionId. The following appears twice:

Set-Cookie: ASP.NET_SessionId=2alwzlvkg2ckvi43s3y0t3lm; path=/; HttpOnly

This is happening both locally and on our development and QA servers.

The value set is the same so it doesn't appear to cause any problems, however I'm curious to know why two Set-Cookie headers are being returned to the client.

I have searched the application's code, looked through the web.config and Googled for an explanation, but I am unable to pinpoint the reason for the duplicate headers. Any ideas?

score 1 · Answer 1 · answered May 24 '23 at 06:55

We had the same issue and solved it by configuring a max-age value different from 0 (e.g 86400) in IIS via IIS > edit default website > Configure > HSTS... > max-age = 86400

(more info on HSTS, max-age: what is max-age property in HSTS security header?)

Not sure what one has to do with the oter, but the duplicated sessionId disappeared.

Two Set-Cookie headers for ASP.NET_SessionId

1 Answers1