ASP.NET - Is it possible to block cookies declaratively in an aspx page?

Question

can cookies be blocked using a page directive instead of doing it programmatic?

Answer 1

I agree with thomas. If you are gunning for the session cookie, then disable session. The server will stop sending session cookies to the browser and the browser will stop returning them on subsequent requests.

http://support.microsoft.com/kb/306996

If you are trying to engage in industrial sabotage or some heavy handed security, i.e. treating all http requests with cookies as invalid requests, then

if (Request.Cookies.Count > 0)
{
     throw new HttpException(
    "Keep your stinking cookies.  I accept request only browsers"+
    " configured to disable the sending of cookies.");
}

If you are trying to ignore cookies or to figure out why the app you maintain results in cookies (usually auth or some state managment), then search your source code for these and comment them out.

• Request.Cookies, Requests.Cookies.Add()
• Session (can still work with cookie-less sessions, where session Id is in the URL)
• Membership (can still work with cookie-less sessions, where auth token is in the URL)

Answer 2

First, AFAIK, there is no way to do anything with respect to cookies declaratively other than force HttpsOnly or to choose cookieless Sessions. "Not accepting" makes no sense given how cookies work. Is it that you are trying to expire the existing cookies? If so, again, you must do this programatically.

Answer 3

After reading through the 43 separate page directive attributes I don't reckon that you can block cookies using a page directive (i.e. using the <%@ Page attribute="value" [attribute="value"...] %> syntax).

Answer 4

Why? If you don't want the cookies, just don't use them. You can't stop the browser from sending cookies to the server; but you can simply not use them.