Session Cookie (Authentication Related) Does Not Contain The "HTTPOnly" Attribute - asp.net

Can someone help me in resolving Qualy's issue?
After Qualys scan, there is an issue that says to add the HTTP Only flag. I have set the HTTP Only flag in web.config of Asp.Net Application but it doesn't resolve. We are using Azure Active Directory (single Sign-On) authentication.
Don't know where I can set the flag to true. Moreover, in some blogs, they mentioned modifying NuGet packages.
I have attached the screenshot. please refer to it. Thanks in advance.
Flags are: wlidperf, ESTSAUTHLIGHT, brcap, ch, clrc

You can change the settings related to HTTPS Only option under the following root inside your Azure Dashboard:
Settings - Custom Domains - HTTPS Only
However, you have to checkup with your security options and configurations, because this can engender security related problems later down the road.

Related

Ghost CMS navigation goes to non-custom domain

I have a Ghost site at https://msclouddeveloper.com
However, the navigation links point to an azurewebsites.net address. But in the Ghost CMS the correct custom domain is shown (msclouddeveloper.com).
The websiteUrl appsetting is also set correctly.
What could be wrong? I've already restarted the app service.
Don't know if I missed this when reading the setup guide for custom domains, but you need to add two AppSettings:
websiteUrl http://www.msclouddeveloper.com
websiteUrlSSL https://www.msclouddeveloper.com
Then restart the App service.
What could also be an issue is the environment setup you have enabled. See this documentation for more info https://docs.ghost.org/docs/config
For custom domain SSL links to work you need to have the production environment enabled. You set this in the file iis-node.yaml I believe. But it was already correct in my case.

plone add-on collective.sendaspdf: login required for downloading page

I'm using collective.sendaspdf for pdf download of plone pages, but it asks users to login whene they download a public content.
This appears strange as it happens just in the production server, not in the development server (the only difference seems that the latter is started in foreground mode).
Of course I can't assign particular permissions on objects to anonymous users, so I guess the problem is somewhere else
thanks to Jean's suggestion, i enabled the verbose security and the error is "Unauthorized: You are not allowed to access '##at_base_edit_view' in this context"
This looks strange to me as the page is the view of my content-type archetype-based, and it is published so it is visible to anonymous users. I repeat also that I have the development server with the same software installed where the authorization is correctly given, i.e. the page can be downloaded by anyone without login...what changes is the network configuration (I have an apache that performs some url rewriting in front of my zope server, but this just affects the path of the plone site to be hidden)
I wonder if I can manage to correct this just through the sendaspdf configuration. I don't know which additional info I could provide about the environment/configuration. I'm running Plone 4.0.4 + collective.sendaspdf 2.0
Ok, the problem was due to a bug in how collective.sendaspdf handles archetype-based content types, it's possible to workaround it by replacing the code:
view_name = context_type.getProperty('immediate_view')
with
view_name = context_type.getProperty('default_view')
in the method get_page_source of base.py, or by waiting the next release of the product.

ASP.Net custom errors on specific hosts

Is there a way to display custom errors on specific host(s) (eg: www.example.com) and display vanilla errors on others (eg: beta.example.com)?
I'm thinking along the lines of configuration syntax that can be added to the customErrors section of the web.config.
It's actually for MVC 3, if that makes any difference.
The sites are hosted on separate servers. http://beta.yogaloft.co.uk/ is built and deployed automatically by appharbor and promoted to http://www.yogaloft.co.uk/ whenever it's ready for the wild.
what i would do is use customized HandleErrorAttribute to detect the request and show the custom error on the www.example.com ?
basically, extend the HandleErrorAttribute ( HandleCustomErrorAttribute : HandleErrorAttribute )and put the logic to detect if the request is coming from example.com and if so show a specified view.
I have not tried it this way, but shouldnt be impossible.
If this hosts are set on the same directory, you can't.
All you can do - use the customErrors="RemoteOnly" setting and beta test locally.
You really should use two different sites for the production and testing.

Plone & CGI single-sign-on using mod_auth_tkt

A couple of questions have had answers suggesting making use of mod_auth_tkt to allow Plone 4 (Plone and Asp.Net Integration, Use Plone's authentication mechanism to login to other sites.) to authenticate other web applications, and since I have a couple of CGIs that already jump through hoops to authenticate via Plone, this seems ideal for my purpose. However, I can't seem to find much documentation about using mod_auth_tkt in general, and absolutely none about using it with Plone.
I have the following problems.
mod_auth_tkt expects a shared "secret". mod_auth_tkt's examples show Apache getting this from a config file. Plone doesn't share its secrets - so how does Apache know that a given Plone cookie is a valid auth_tkt?
what url would one use in the Apache config TKTAuthLoginURL? [I'm not sure that's vital, as, at the moment, I'm only really interested in ensuring that something is invoked from inside plone, rather than directly as a cgi]
Apache expects the ticket cookie to be named via TKTAuthCookieName (default 'auth_tkt'). What does Plone call it? __ac?
The documentation on using mod_auth_tkt is a man page distributed with the source.
In answer to your specific questions:
In /Plone/acl_users/session. On the Manage secrets tab set a shared secret. (This is described in the documentation for setting up a shared secret with an IIS login form.) You should set the same secret in the Apache config with the TKTAuthSecret directive.
For Plone 4.0 (or Plone 3.x with plone.session 3.x) use /Plone/login_form. For Plone 4.1 use /Plone/login, assuming that the Plone site is hosted at /Plone. Use /login_form or /login if it is hosted at the root.
Plone uses _ac by default, so use TKTAuthCookieName "_ac". (The cookie name Plone uses is set in the acl_users session settings and cookie authentication settings.)
You might have to set TKTAuthBackArgName "came_from", though I think Plone will fallback to the referrer url so it may work without. And you will need to check the "Use mod_auth_tkt compatible hashing algorithm" option on the preferences tab of acl_users/session.
It turns out that there seems to be a conflict with pas.plugins.sqlalchemy. I've been investigating PPS, and while it doesn't seem that there should be any crossover, the site I was testing had PPS installed. When I switched to a site without PPS, setting the "secret" and the mod_auth_tkt flag had the desired effect. Since I seem to have fallen into the maintenance role for pas.plugins.sqlalchemy, I guess it's my problem :-)
Domo arigato, Mr. Rowe-boto!

Request Filtering/URL rewriting with IIS7 - not working

I cannot get the URL rewriting module to work on my local PC (vista x86)
i set up a new rule using the 'user friendly url' template.
a picture rather than 1000 words....
(the image contains 3 shots - creation, config and pattern test)
http://www.sk8loc8.com/rewriteIssue.jpg
so now that is setup if i request 'localhost/iisrewriteurl/content/5 i should see my content.aspx page.
nope...
Error Summary
HTTP Error 404.0 - Not Found
The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.
Detailed Error Information
Module IIS Web Core
Notification MapRequestHandler
Handler StaticFile
Error Code 0x80070002
Requested URL IISRewriteURL/content/5/
Physical Path C:\Users\Guy\Documents\Visual Studio 2008\Projects\IISRewriteURL\IISRewriteURL\content\5\
Logon Method Anonymous
Logon User Anonymous
When i go back into the rule itself and test the patterns that IIS made for me, they do not work..
I have tried adding a wildcard script map under the handler mappings section but this makes no difference.
Has anyone seen this type of behaviour before? Or am i missing something very simple?
If you test the pattern you dont need the Host
I always just create Blank Rules and not had a problem that way since not sure if it matters though. I cannot discover why that rewrite wouldnt work perhaps other rules are blocking it?
Alternatively you may have a look at Helicon Ape product that emulates Apache modules behavior on IIS7. It has simpler syntax and Helicon Ape Manager automatically checks the syntax of the rules you write.

Resources