After manually setting the setcookie, we will be logged out of the admin site

Northern Lights asked on August 12, 2025 07:58

We originally used the kencito setting "CMSAdminCookiesSameSiteNone" value="true" in our system, but the security scan indicated that our setcookie does not comply with the best usage standards. After manually setting the "Set-Cookie" value="MyCookie=xxx; SameSite=None; HttpOnly; Secure;"

After that, when we click on the media library in any component of the Page admin section will clear permissions and redirect us to the login page. Is this normal.

Should we let our security scan team mark this as a false positive or do we have a way to solve this problem

Correct Answer

vasu yerramsetti answered on August 12, 2025 09:59

Why you’re being logged out

Your custom Set-Cookie is likely overwriting the Kentico session cookie for the admin site, breaking the authentication
This is normal if you manually touch cookies in admin responses
The redirect to login when accessing the Media Library is a symptom of lost auth state

Recommendation - Do not manually set the cookie headers for admin-related requests.

Instead, configure Kentico to output cookies with the attributes that pass your security scan:

<add key="CMSAdminCookiesSameSiteNone" value="true" />
<add key="CMSEnableHttpOnlyCookies" value="true" />
<add key="CMSEnableSecureCookies" value="true" />

If the scan is still flagging them:
Confirm the scan is targeting the right cookies (some might be public, not admin cookies).

If Kentico’s cookies already match best practices, this is indeed a false positive and should be marked as such in the report.

It’s not a Kentico bug-- manually setting Set-Cookie for admin requests will break login. The correct approach is to configure cookies in Kentico’s web.config, not override them per response. If configured correctly and the scan still flags them, have your security team mark it as a false positive.

0 votesVote for this answer Unmark Correct answer