11

I am trying to configure sessions for an asp.net core 2.0 website, but the session cookie is never set.

I call ..

app.UseSession();

...in Startup.Configure and ...

        services.AddDistributedMemoryCache();

        services.AddSession(options =>
        {
            options.IdleTimeout = TimeSpan.FromMinutes(10);
            options.Cookie.HttpOnly = false;
            options.Cookie.Name = "WS_AUTH_ID";
        });

... in the ConfigureServices method.

In the Controller I can acess ...

HttpContext.Session.Id;

... but the id is always different for every request.

Am I missing something?

Update: I should metion that I can set cookies "manually" and the browser will "receive" them.

HttpContext.Response.Cookies.Append("Test_cookie", "yo");
Preli
  • 2,953
  • 10
  • 37
  • 50
  • 6
    Are you actually writing to the session, or just looking at the id? The cookie isn't written unless you add something to the session. – Tratcher Mar 14 '18 at 11:39
  • 1
    @Tratcher you are right. I knew it would be something simple. I just wish one of the tutorials would mention that. – Preli Mar 14 '18 at 12:33
  • It is a storage system. How else are you using it? – Tratcher Mar 14 '18 at 13:03
  • Good point. But I only need it to identify the visitor/user, so the session cookie is all I really need. – Preli Mar 14 '18 at 13:58
  • That'll only be good for the life of the session, though. Then, the user will look like a new one, which could prove problematic, based on what you're actually doing. It might actually be better to just forgo the session and just write a cookie directly. Then, you can make it far future expired, and identity the user across multiple visits over days or weeks, as long as they don't manually remove the cookie. That's basically what Google does for analytics, AdWords, etc. – Chris Pratt Mar 14 '18 at 14:01
  • That's okay. I don't actually want to track my users. I just want to identify the user while he is "using" the site. Especially if they have it open in multiple tabs. I might also use the session to store data in the future. – Preli Mar 14 '18 at 14:14

4 Answers4

12

This was the cause for me:

The extension Microsoft.AspNetCore.CookiePolicy (UseCookiePolicy) was blocking the session cookie. Removing this extension and running the app in a new browser window fixed the issue.

Rationale: this extension blocks the cookies sent to the browser until the user accepts them. Since the session key is stored in a cookie and cookies are blocked by this extension... No cookies, no session.

Another workaround could be to enable the application to work without session until the user accepts cookies (I didn't test this workaround).

Hope that helps.

Mark
  • 379
  • 3
  • 11
  • Override this issue by setting 'options.Cookie.IsEssential = true' inside services.AddSession() – sosNiLa Nov 27 '19 at 10:26
5

If you have the cookie policy turned ON the session cookiewon't be created until the user accepts the use of Cookies, this is to comply with the EU's GDPR.

You can remove the line app.UseCookiePolicy(); from you Startup and then it will work, otherwise your users will need to agree to the use of cookies before you can use the cookie for session control.

Rui Lima
  • 7,185
  • 4
  • 31
  • 42
  • As far as I understand from this GDPR official site its not a problem to have session cookies in your website and not asking for consent. See https://gdpr.eu/cookies/ So I don't see any reason why the user should accept strict (session) cookies to see them, with the cookiepolicy enabled in aspnetcore. – Michael Sep 30 '22 at 13:07
  • It depends on what you store in the cookie. A session cookie can store more than just the session id – Rui Lima Oct 01 '22 at 19:08
  • I see now... that remains true, ofcourse :) – Michael Oct 03 '22 at 07:26
3

For me the problem was solved by one of the comments on the question:

The cookie isn't written unless you add something to the session.

So just requesting the Session.Id won't help, you actually have to set something.

In my case it was a variable that was only set after some condition, and before that condition was met, it would create a new session ID over and over again.

Jham
  • 195
  • 12
1

You have to type the following in your ConfigureServices method:

services.AddMvc()
    .AddSessionStateTempDataProvider();

services.AddDistributedMemoryCache();
services.AddSession(options =>
{
    options.IdleTimeout = TimeSpan.FromMinutes(30);
    options.Cookie.Name = ".MyApplication";
});

In your Configure type the following

//enable session before MVC
app.UseSession();
app.UseMvc();
pitaridis
  • 2,801
  • 3
  • 22
  • 41