Reason to rename ASP.NET Session Cookie Name?

Question

is there any reason (safety?) why someone should rename the ASP.NET Session Cookie Name or is it just a senseless option of ASP.NET?

Answer 1

According to the following specification, https://tools.ietf.org/html/draft-ietf-httpbis-cookie-prefixes-00, that modern browsers implement, the prefixes are used to make things more secure.

3.1. The "__Secure-" prefix

If a cookie's name begins with "__Secure-", the cookie MUST be:

1. Set with a "Secure" attribute

2. Set from a URI whose "scheme" is considered "secure" by the user agent.

   The following cookie would be rejected when set from any origin, as the "Secure" flag is not set

   Set-Cookie: __Secure-SID=12345; Domain=example.com

   While the following would be accepted if set from a secure origin
   (e.g. "https://example.com/"), and rejected otherwise:

   Set-Cookie: __Secure-SID=12345; Secure; Domain=example.com

3.2. The "__Host-" prefix

If a cookie's name begins with "__Host-", the cookie MUST be:

1. Set with a "Secure" attribute
2. Set from a URI whose "scheme" is considered "secure" by the user agent.
3. Sent only to the host which set the cookie. That is, a cookie named "__Host-cookie1" set from "https://example.com" MUST NOT contain a "Domain" attribute (and will therefore be sent only to "example.com", and not to "subdomain.example.com").

4. Sent to every request for a host. That is, a cookie named "__Host-cookie1" MUST contain a "Path" attribute with a value of "/".

   The following cookies would always be rejected:

   Set-Cookie: __Host-SID=12345 Set-Cookie: __Host-SID=12345; Secure Set-Cookie: __Host-SID=12345; Domain=example.com
   Set-Cookie: __Host-SID=12345; Domain=example.com; Path=/
   Set-Cookie: __Host-SID=12345; Secure; Domain=example.com; Path=/