How to start an ASP.NET cookie session programmatically only?

Question

Is there a way to enforce that an ASP.NET (.NET Framework 4.8, MVC 5) cookie-based session is started (Set-Cookie HTTP header is send to the client) only when certain conditions are met.

The background of the question is about the data privacy act in the EU. The user has/should explicitly allow the use of cookies before the application (website) is allowed to operate (initialize, send, receive) such data. However, this question is only about the technical implementation. Not about opinions or "facts" about the regulation or other means.

The websites operates perfectly fine without cookies (or user identification). However, there is a special area in which cookies are required. The user should receive a cookie only, when he agrees to cookies (user consent) and enters the special area (login page). On the other side, when the users' browser is sending an cookie to the ASP.NET application, the application should be able to handle it.

How can I restrict sending the Set-Cookie HTTP header to be only sent, when it is programmatically "allowed" (e.g. user has given his consent and is on the login page).

Answer 1

It depends what you mean by ASP.NET in this case (I know, the naming is awful).

ASP.NET Core MVC 2.1 has support for this, as a feature, where the idea of consent is built in, and you can mark cookies as essential or non-essential, then, if consent is not present, non-essential cookies will never get written out to a response. The MVC templates have this built in, and it's documented with sample code.

For other versions of ASP.NET (previous versions of Core MVC, non-Core MVC, or WebForms) there is nothing built in and you'll have to roll it yourself.