3

My site uses ASP.NET_SessionId cookies. This is standard ASP.NET header used for session management. CDN itself removes some headers from the response: in this case, the browser is not receiving "set-cookie" header for "ASP.NET_SessionId", despite the fact, it was sent by the web site (see screenshots below).

The home page is dynamic and is not intended to be cached. Also, page sets "no-cache" header.

This happens only with Azure CDN with Standard Microsoft profile.

Could you please provide any ideas on how to allow set-cookie to pass-through the CDN?

Original response headers:

Original Headers (two)

Original Headers (two)

As you can see there are two "Set-Cookie" headers.

CDN-ified response headers:

Headers with CDN (one)

Headers with CDN (one)

As you can see only one "Set-Cookie" header left, "ASP.NET_SessionId" is removed by CDN (some security rule?).

I cannot find any documentation on how to allow all headers to pass-through.

Thank you!

Igor Solomatov
  • 31
  • 3
  • Submitted ticket to Microsoft support. I will update that page once there is any clarity. – Igor Solomatov Jul 19 '19 at 20:32
  • Microsoft confirmed that issue (already know about it) and they are working on resolving it. No ETA or workaround provided. – Igor Solomatov Aug 05 '19 at 15:55
  • 1
    Microsoft has provided workaround: use CDN caching rules and set the configuration to "bypass" by default. Enable caching for specific subpaths and extensions as needed. – Igor Solomatov Aug 13 '19 at 01:38

1 Answers1

0

It seems that the ASP.NET session ID could not be cached as CDN could not cache such resources:

Dynamic resources that change frequently or are unique to an individual user cannot be cached.

You can get more details about how CDN caching works.

Nancy
  • 26,865
  • 3
  • 18
  • 34
  • Unfortunately, the issue is that it removes that header from the response, so that browser doesn't get it. I don't want and don't need to cache it. – Igor Solomatov Jun 14 '19 at 18:48
  • It should not intervene and modify a response by deleting some cookies it doesn't like breaking Microsoft session management in ASP.NET. – Igor Solomatov Jun 14 '19 at 18:57