Stop cookies sending?

Hi, I would like to know if there’s a way to tell SS to stop send cookies.
I read here: Self Host + Serve static files with no cookies? that cookies are added with SessionFeature and implicitly by AuthFeature.
I’m trying to develop a token based authentication system using a custom credentials auth provider and I wouldn’t need t the cookies, there is any solution for this?

Thank you!

The Cookies are populated by the Request Filter registered in the SessionFeature so you could remove the last Request Filter added after you’ve registered the AuthFeature (which registers the SessionFeature), but note the cookies are used to identify the Users Session, if they’re not going to exist you’ll need to populate req.Items[SessionFeature.SessionId] yourself.

Another option is to just clear the Cookies after they’ve been added with:


//req.Response.ClearCookies(); // from IRequest

I don’t know if I had understand… In the first case should I do something like this?

    new AuthFeature(() => new CustomUserSession(),
        new IAuthProvider[] {
            new CustomAuthProvider()


and in the second case something like this?

this.GlobalResponseFilters.Add((req, res, responseDto) =>

    //req.Response.ClearCookies(); // from IRequest

…because no one seems to work…

The Filters are only added when the Plugin is Registered so you could only remove them after they Plugins have been registered either by overriding OnAfterInit():

public override void OnAfterInit() {
    base.OnAfterInit(); //important

Or by registering a AfterInitCallbacks which gets called after the AppHost is initialized.

Can you confirm ClearCookies() is being called in the request where the Cookies are added (i.e. in a debugger)? Can you provide the HTTP Response Headers showing the Set-Cookie being returned?

FYI this should now be easier with the new Config.AllowSessionCookies option to suppress just the Session Cookies:

SetConfig(new HostConfig {
    AllowSessionCookies = true //disable session cookies

If you need more control this default behavior is customizable by overriding AppHost.AllowSetCookie().

This change is available from v4.0.53 that’s now available on MyGet.

Thank you Demis… I will check it out!
Is there also a way to rename the cookies?

No they’re a hard-coded and predictable convention.

Ok! no problem… I was just curious.