Using the following web.config file properties I am not able to have my site either remove a session cookie or force the cookie to use HTTPOnly. I am using a basic classic asp website with the below configuration in my web.config file
<configuration>
<system.web>
<httpCookies httpOnlyCookies="true" />
<sessionState mode="Off" cookieless="true"/>
</system.web>
</configuration>
I have tried to use the following outbound rule to rewrite the URL however when the site gets scanned using Qualys it does not rewrite the cookie before the website is scanned. Here is the below property code that is not working:
<outboundRules>
<rule name="Add HttpOnly" preCondition="No HttpOnly">
<match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
<action type="Rewrite" value="{R:0}; HttpOnly" />
<conditions>
</conditions>
</rule>
<preConditions>
<preCondition name="No HttpOnly">
<add input="{RESPONSE_Set_Cookie}" pattern="." />
<add input="{RESPONSE_Set_Cookie}" pattern="; HttpOnly" negate="true" />
</preCondition>
</preConditions>
</outboundRules>
You could always ask the client to 'kill' the cookie (with code attached below) and hope it does so. If this doesn't happen, it could be that there is a bug on the client side or that a user has copied the cookie out of the browser before the expiration, and copies it back in. Anyway... If you can't find a fix, the workaround would be to kill the cookie EVERYTIME you use it.
HttpCookie cookieToKill= new HttpCookie(cookieName);
cookieToKill.Expires = DateTime.UtcNow.AddDays(-1); //any negative value will do)
Response.Cookies.Add(cookieToKill);
Related
Our CMS Search is no longer working after this weekend's patch cycle. When we interrogate Chrome (other browsers are return search results) via Developer Tools we see these cookies flagged as having issues... but the description of the issue does not make sense because Secure is set to true AND SameSite is set to None.
It's difficult to know what to do here. I think getting Chrome to recognize that these cookies are configured correctly will solve our problem -- but I can't seem to figure out what is the problem?
In our web.config (CMS search was working up until Sunday):
<compilation debug="false" targetFramework="4.8">
<httpCookies httpOnlyCookies="true" requireSSL="true" sameSite="None"/>
<sessionState cookieSameSite="None" mode="InProc" stateConnectionString="tcpip=127.0.0.1:42424" sqlConnectionString="data source=127.0.0.1;Trusted_Connection=yes" cookieless="false" timeout="20"/>
This is the KB that was installed on Sunday that we think caused our CMS search to stop working:
https://support.microsoft.com/en-us/help/4576486/kb4576486
Thank you.
You could try to use the below iis URL rewrite rule:
<outboundRules>
<clear />
<rule name="Add SameSite" preCondition="No SameSite">
<match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
<action type="Rewrite" value="{R:0}; SameSite=None; Secure" />
</rule>
<preConditions>
<preCondition name="No SameSite">
<add input="{RESPONSE_Set_Cookie}" pattern="." />
<add input="{RESPONSE_Set_Cookie}" pattern="; SameSite=None; Secure" negate="true" />
</preCondition>
</preConditions>
</outboundRules>
Reference link:
https://learn.microsoft.com/en-us/aspnet/samesite/system-web-samesite
https://learn.microsoft.com/en-us/aspnet/core/security/samesite?view=aspnetcore-3.1
I have an Episerver website running on Azure and, for security reasons, i would like to block access to any requests to the cms admin section using a white list of ip addresses.
I have done this in the past with websites running on windows server but i have never done this on an Azure hosted site. I have tried the approach i took on previous sites, adding a security section to the web.config for the location i am trying to restrict eg:
<location path="cms/admin">
<system.webServer>
</ipSecurity>
<add allowed="true" ipAddress="{my ip address}" subnetMask="255.255.255.255" />
...
</security>
</system.webServer>
</location>
this works locally but it is not working when i deploy the web.config to Azure. it is preventing any users, including those in the whitelist from accessing the location.
I have also looked into making the changes in portal.azure using aplication->networking->Access-restrictions but this looks like it is intended to control access to the whole app, which is not what i want.
Does anybody know if i am doing this incorrectly, specifically for an Azure website? Is there a setting in access-restrictions that i have missed?
thanks
Sam
You can use iis url rewrite rule to block request to restrict ip for the specific path:
<rule name="RequestBlockingRule1" patternSyntax="Wildcard" stopProcessing="true">
<match url="cms/admin" />
<conditions>
<add input="{REMOTE_ADDR}" pattern="192.168.2.*" />
</conditions>
<action type="CustomResponse" statusCode="403" statusReason="Forbidden: Access is denied." statusDescription="You do not have permission to view this directory or page using the credentials that you supplied." />
</rule>
If you want to allow some ip than you can add another condition with does not match the pattern.
For more detail you can refer below article:
Creating Rewrite Rules
Request Blocking - rule
This recently worked for me.
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="Block unauthorized access to admin" stopProcessing="true">
<match url=".*" />
<conditions>
<!-- Enter your staging site host name here as the pattern-->
<add input="{REQUEST_URI}" pattern="^/admin" />
<!-- Enter your white listed IP addresses -->
<add input="{REMOTE_ADDR}" pattern="127\.0\.0\.1" negate="true" />
<add input="{REMOTE_ADDR}" pattern="127\.0\.0\.2" negate="true" />
<!-- <add input="{REMOTE_ADDR}" pattern="123\.123\.123\.2" negate="true"/> -->
</conditions>
<action type="CustomResponse" statusCode="404" statusReason="Not Found" statusDescription="Site is not accessible" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
We solved this using url rewrite module, as others have suggested. We also realised that the ip address being passed in was not the true request origin IP address because of the cloudflare CDN. luckily the origin ip address is included in the rerouted request from Cloudflare so we were able to make this work using the url rewrite rule below. I have added this as the correct answer to the question because Jalpa's answer technically won't work in my specific context:
<rewrite>
<rules>
<rule name="restrict admin access by IP address" stopProcessing="true">
<match url="(.*)" />
<conditions logicalGrouping="MatchAll">
<add input="{REQUEST_URI}" pattern="^/admin/login(.*)" />
<!-- localhost -->
<add input="{HTTP_True_Client_IP}" pattern="^127\.0\.0\.1$" negate="true"/>
<!-- my office -->
<add input="{HTTP_True_Client_IP}" pattern="^{your ip address here}$" negate="true"/>
</conditions>
<action type="CustomResponse" statusCode="404" statusReason="Not Found" statusDescription="The resource you are looking for has been removed, had its name changed, or is temporarily unavailable." />
</rule>
</rules>
</rewrite>
I need to redirect a lot of URLs like the following
http://localhost/OmniService/foto/18443151-810079.jpg
so, in my web.config I set the following regular expression:
<rewrite>
<providers>
<provider name="DB" type="DbProvider, Microsoft.Web.Iis.Rewrite.Providers, Version=7.1.761.0, Culture=neutral, PublicKeyToken=0545b0627da60a5f">
<settings>
<add key="ConnectionString" value="Driver={SQL Server Native Client 10.0};Data Source=localhost\sqlexpress;Initial Catalog=RewriteDB;Integrated Security=True;Server=localhost;uid=sa;pwd=working2014" />
<add key="StoredProcedure" value="RewriteDB.dbo.GetRewrittenUrl" />
<add key="CacheMinutesInterval" value="0" />
</settings>
</provider>
</providers>
<rules>
<rule name="DbProviderTest" stopProcessing="true">
<match url="(OmniService/foto/([0-9]+)-([0-9]+).jpg)" />
<!--<conditions>
<add input="{DB:{R:1}}" pattern="(.+)" />
</conditions>-->
<action type="Redirect" url="(Omniservice/foto/2017/02/02/18443151-810079.jpg)" />
</rule>
</rules>
</rewrite>
but it's not captured, despite testing with IIS says it's ok:
If I use <match url="(.*)" /> then I am redirected to the corrected new URL but nothing is showed anyway because it says there were too many redirects.
The rule works for me, but it redirects me to http://localhost/(Omniservice/foto/2017/02/02/18443151-810079.jpg) maybe you need to remove () from url attribute in action node? Do you not even see a 301 redirect with above rule?
I have the following in web.config...
<httpCookies httpOnlyCookies="true" requireSSL="true" />
These settings are being applied to my site's cookies correctly except for a cookie called 'UMB_PANEL' with a path of '/umbraco'.
I have tried adding a web.config file with duplicate settings into the '/umbraco' folder but it has no effect.
How can I get these cookie settings to apply to the whole site?
Bit late to the party with this but you can achieve what you need with Outbound Rules.
This will rewrite any cookies without Secure=true to be secure:
<outboundRules>
<rule name="Add Secure Cookies" preCondition="No Secure">
<match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false"/>
<action type="Rewrite" value="{R:0}; Secure=true"/>
<conditions/>
</rule>
<preConditions>
<preCondition name="No Secure">
<add input="{RESPONSE_Set_Cookie}" pattern="."/>
<add input="{RESPONSE_Set_Cookie}" pattern="; Secure=true" negate="true"/>
</preCondition>
</preConditions>
</outboundRules>
You can tweak the pattern if you need it to match a specific cookie, e.g: ^(UMB_PANEL).*
I believe that cookie only is set if you log in to the Umbraco admin area.
http://our.umbraco.org/forum/using/ui-questions/20674-Does-Umbraco-make-use-of-Cookies-anywhere-in-the-core-product
My guess is that your main web site users would never get that cookie. I realize that isn't directly answering the question, but perhaps it makes it a moot point?
I was stuck by a simple outbound rule, I want to modify the HTTP Content-Type to application/atom+xml, if the URL exactly matches http://wayneye.com/Feeds/Atom
My rule XML:
<outboundRules>
<rule name="AtomFeedsIMEType" patternSyntax="ExactMatch">
<match serverVariable="RESPONSE_CONTENT_TYPE" pattern="http://{HTTP_HOST}/Feeds/Atom" />
<action type="Rewrite" value="application/atom+xml" />
</rule>
Need help...
You are matching the server variable against the full URL, including domain name. That's not going to work ;-). It doesn't really matter what the value of the Content-Type is, you're going to replace it anyway so you can match is against anything. To make sure you don't replace it on every page, you need to add a precondition to match only requests starting with /Feeds/Atom (on {REQUEST_URI} ). Here's an example:
<outboundRules>
<rule name="AtomFeedsIMEType" preCondition="Match atom feeds">
<match serverVariable="RESPONSE_Content_Type" pattern="(.*)" negate="false" />
<action type="Rewrite" value="application/atom+xml" replace="true" />
</rule>
<preConditions>
<preCondition name="Match atom feeds">
<add input="{REQUEST_URI}" pattern="^/Feeds/Atom" />
</preCondition>
</preConditions>
</outboundRules>
For this to work, the server has to be set up to allow changing of the Content-Type header. This can be done either on the server level or on the site level but needs to be done by the Administrator. It's set in the applicationHost.config and not in the web.config. Here is a part of the applicationHost.config that allows that:
<location path="your_site_name">
<system.webServer>
<rewrite>
<allowedServerVariables>
<add name="CONTENT_TYPE" />
</allowedServerVariables>
</rewrite>
</system.webServer>
</location>
You can also allow this from the GUI, with the View Server Variables link under actions from the main URLRewrite screen. Hope this helps.