To avoid adding cookie consent acceptance, I would like to disable cookies for certain pages in my asp.net site. I know I can add this to the config:
<configuration>
<system.web>
<sessionState cookieless="true" />
</system.web>
</configuration>
But is it possible to specify that only certain pages (in matter fact only one page) to be cookieless?
Related
I have a fairly large Umbraco instance containing a mix of marketing pages and web applications.
About 10% of the Content node pages are web application pages. I want to disable SessionState for the remaining 90% of pages which don't need it, in order to improve performance and avoid contention. We are using SQL Server sessions.
Is there any way to do this? As far as I've been able to find out, the only way to disable SessionState on a per-page basis is to include EnableSessionState="False" in the .aspx #Page declaration. But as Umbraco generates virtual .aspx pages, I can't see any way in which to do this.
There doesn't appear to be any way in code to effect it either.
Since you seem to be using nested webforms master pages in Umbraco (rather than MVC) you are left with one option since the Masterpages don't have the public property 'enablesessionstate'
As far as I know you are left with one option which is to handle the sessionstates in the web.config
There are two scenarios, implicit and explicit
Explicit exclusion
<!-- globally enbabled sessionstate -->
<system.web>
<sessionState mode="On" />
</system.web>
<!-- disable on specific paths -->
<location path="path/whatever">
<system.web>
<sessionState mode="Off" />
</system.web>
</location>
<location path="otherplace">
<system.web>
<sessionState mode="Off" />
</system.web>
</location>
Implicit
<!-- globally disabled sessionstate -->
<system.web>
<sessionState mode="Off" />
</system.web>
<!-- enable on specific paths -->
<location path="path/whatever">
<system.web>
<sessionState mode="On" />
</system.web>
</location>
<location path="otherplace">
<system.web>
<sessionState mode="On" />
</system.web>
</location>
If you're using web forms, you could potentially hook into the page loading event and check the page template to then set the session state on or off?
Which version of Umbraco are you using?
I want to use cURL from my webserver to call a page on my website (importdata.aspx) on that same webserver. But I want to make sure the importdata.aspx page can not be accessed from the internet.
I use forms authentication on my site, so I can't have the cURL call login for me.
In my web.config file I've disallowed non-authenticated users:
Setting up a different site and allowing anonymous users through IIS, still won't let me access importdata.aspx, as my formsauthentication would prevent that right?
Is there a way to allow importdata.aspx to be accessed only through the local machine and blocking it completely from outside?
Web.config files have some options to set different configs, based on the URL path. https://msdn.microsoft.com/en-us/library/ms178692(v=vs.90).aspx
Example:
<configuration>
<system.web>
<sessionState cookieless="true" timeout="10" />
</system.web>
<!-- Special configuration for the "importdata.aspx" -->
<location path="importData.aspx">
<system.web>
<authentication mode="Windows" />
</system.web>
</location>
</configuration>
In this example, I defined a different authentication mode for the importData.aspx file.
Is there a way of turning on and off the session cookie in ASP.NET without using the <#PAGE construct? A way to overrule the construct?
I want sometimes to have session enabled on the page, sometimes disabled. I don't want to have to keep recompiling the website to enable or disable the session. In php you could turn on session by open_session() , I wonder if there's an asp.net equivalent. I'm looking for a way to enable the session in code.
If someone visits the Login page, the session is then enabled for the whole otherwise, it is not enabled and the site is sessionless, cookieless.
You must set the Off mode in the sessionState of the web.config file, in this way it disable the session of the application but if you want to disable the asp.net cookie but still track of the session you could use the cookielessoption.
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.5" />
<httpRuntime targetFramework="4.5" />
<sessionState mode="Off"/>
<!-- or -->
<sessionState cookieless="true"/>
</system.web>
</configuration>
Guess you can do it in web.config: https://msdn.microsoft.com/en-us/library/h6bb9cz9(v=vs.71).aspx
For more than a couple of years, we have successfully used the approach outlined in this post for enabling mixed-mode authentication in our Asp.Net app:
https://stackoverflow.com/a/7735008
We have 2 pages, Login.aspx and WindowsLogin.aspx with appropriate elements as highlighted in above post. Everything has been working fine until recently when it broke and we are unable to figure out why or when it broke down (for a few months, we had been working on major new features in our app, we added a few managed modules and other things, but I have tried eliminating them one at a time with no avail).
We have this defined for our global authentication:
<system.web>
<authentication mode="Forms">
<forms cookieless="UseCookies" loginUrl="~/Login.aspx" slidingExpiration="true" timeout="10" />
</authentication>
</system.web>
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="true" />
<basicAuthentication enabled="false" />
<digestAuthentication enabled="false" />
<windowsAuthentication enabled="false" />
</authentication>
</security>
</system.webServer>
Then appropriate elements exactly as in the referenced post. Now when I visit WindowsLogin.aspx directly in browser, it 302 redirects me to Login.aspx with return url set to WindowsLogin.aspx. I have tried simplifying web.config by eliminating all unneeded configuration until all remained was bare bones authentication and other pieces. Still WindowsLogin.aspx redirects to Login.aspx (i.e. Forms authentication is kicking on WindowsLogin.aspx page).
The interesting thing is if I change loginUrl to WindowsLogin.aspx (with everything else remaining exactly same), then WindowsLogin.aspx shows me the native browser authentication challenge as expected.
I have tried and exhausted all options I could think of to get this work with loginUrl set to Login.aspx, but it simply doesn't work.
I enabled IIS tracing rules for 302 redirect and captured a log file where WindowsLogin.aspx was redirecting to Login.aspx (with loginUrl set to Login.aspx). The trace file is available here:
http://imbibe.in/public/fr000001.xml
Can someone please help me in figuring out why is FormsAuthentication module kicking on WindowsLogin.aspx page when its WindowsAuthentication module that is supposed to do the auth there. And why does just switching the login url raises the 401 challenge on Windows Auth page. We are working with IIS 7.5 on Win Server 2008.
UPDATE: I created a simple web app with only 3 pages, Default, Login and WindowsLogin and followed the mixed-mode authentication approach on the same server and it worked. Which obviously means its something in our application/app pool that is interfering. I am hoping the IIS Trace log provided can shed some light on it.
If I completely remove <authentiction mode="Forms"> from our app's web.config (which essentially means no auth is enabled), then Login and WindowsLogin pages work fine.
But with the current configuration only, going to WindowsLogin redirects back to Login.aspx.
You need to add some location exceptions in your web.config file (anywhere outside the regular System.Web section):
<!-- Providing it's in the root - No leading slashes! -->
<location path="WindowsLogin.aspx">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
This will allow all non-authenticated FORMS users to access the page. Otherwise your users will keep getting redirected to the FORMS login page (as they should).
From everything I've read online, a web.config like this should enable HttpOnly cookies, in ASP.NET 2.0. However this is not working.
<configuration>
<system.web>
<httpCookies httpOnlyCookies="true" />
</system.web>
...
</configuration>
Is there something else I'm missing? I've seen many posts on this subject, but the cookies will not show up as HttpOnly (or secure, if I add the requireSSL="true" to the tag).
I'm using IIS 7.0.
Edit:
I'm trying to set this in the web.config at the root level to cover all cookies. I'm looking at the cookies in Firebug on the ASP page and the 'HttpOnly' section that should have green text saying 'HttpOnly' is empty for some of them.
Example: