I need to set the httponly and the secure flag to all the cookies of my site to pass the security scans of my customer.
The web.config is configured correctly I think
<system.web>
<httpCookies httpOnlyCookies="true" requireSSL="true" lockItem="true" />
And it is working for all the cookies I create inside my application, but not for google analitycs ones (I know I can not do anything about it) and what I suppose are the session cookies of asp.net (ai_user and ai_session).
Searching for this two cookies lead to nothing.
How can I force the httponly and secure flags?
I do not know if it is related, but I have also this rewrite rule
<rewrite>
<rules>
<rule name="HTTP to HTTPS redirect" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" redirectType="Found" url="https://{HTTP_HOST}/{R:1}" />
</rule>
</rules>
</rewrite>
I tried to disable it, but nothing changed
I stumbled upon "ai_session" and "ai_user" cookies now with my project and I think they are from application insights. If you investigate further, please report back to community.
The right way to require SSL is via a global filter
public static void RegisterGlobalFilters(GlobalFilterCollection filters)
{
filters.Add(new HandleErrorAttribute());
filters.Add(new System.Web.Mvc.AuthorizeAttribute());
filters.Add(new System.Web.Mvc.RequireHttpsAttribute());
}
Related
Our ASP.NET MVC web application has a few different subdomains we use for testing and legacy code. The subdomains are:
www.sitename.com (production site)
test.sitename.com (testing)
original.sitename.com (legacy code)
staging.sitename.com (occasionally used to testing right before a deployment)
We purposefully have the forms authentication not using domain level cookies because we want the cookies to be unique across these different subdomains. The problem is, when people get a link to the root domain (sitename.com), it requires them to log in again to get a cookie, even though they're already logged in to www.sitename.com.
Is there a way to share the cookie between only www.sitename.com and sitename.com without the other subdomains being affected?
You can avoid this problem by redirecting your non www domain to www with UrlRewrite module in >IIS7
rewrite rule to put into web.config
<system.webServer>
<rewrite>
<rules>
<rule name="Redirect to WWW" stopProcessing="true">
<match url=".*" />
<conditions>
<add input="{HTTP_HOST}" pattern="^example.com$" />
</conditions>
<action type="Redirect" url="http://www.example.com/{R:0}"
redirectType="Permanent" />
</rule>
</rules>
</rewrite>
</system.webServer>
I'd recommend forcing the use of the www. version of the site, for this reason amongst others, this site has excellent reasons why...
http://www.yes-www.org/why-use-www/
To do this in .net you can add the following to your web.config
<system.webServer>
<rewrite>
<rules>
<rule name="Redirect to www" stopProcessing="true">
<match url="(.*)" />
<conditions trackAllCaptures="false">
<add input="{HTTP_HOST}" pattern="^sitename.com$" />
</conditions>
<action type="Redirect" url="{MapProtocol:{HTTPS}}://www.{HTTP_HOST}{HTTP_URL}" redirectType="Permanent"/>
</rule>
</rules>
<rewriteMaps>
<rewriteMap name="MapProtocol">
<add key="on" value="https" />
<add key="off" value="http" />
</rewriteMap>
</rewriteMaps>
</rewrite>
</system.webServer>
This will auto-redirect permanently (see the addition of redirectType="Permanent") for non-www URLs to the www equivalent and retain the HTTP(s) protocol.
The trackAllCaptures part is related to the regex pattern matching - in our case we do not need to capture anything; we only need to match for the rule, so we can leave as false.
The regex pattern ^sitename.com$ will match when the hostname matches exactly to "sitename.com" - the ^ means the start position and the $ means the end position
The rewrite map is from an idea from Jeff Graves I believe, http://jeffgraves.me/2012/11/06/maintain-protocol-in-url-rewrite-rules/
The way I have shown shows just one way to do this, like with most things - there are multiple ways on achieving this.
Scott Forsyth has an article on a different way of achieving this too (also references Jeff Graves)
http://weblogs.asp.net/owscott/url-rewrite-protocol-http-https-in-the-action
You can use some thing like
sessionCookie.Domain = ".yourdomain.com" ;
then you will be able to request same cookies from any subdomain and edit it if you want.
In modern CMS, there are a number of places that redirect users by using returnUrl querystring. For example, redirect user to an internal Url after a successful login.
The problem is that the returnUrl is modifiable by anyone and is hence vulnerable. One way to handle this is to validate the parameters of the application script/program before sending 302 HTTP code (redirect) to the client browser. However, this requires changing of application code.
How can I handle it in IIS level? Is it possible to show an error page if the user is redirected to other domain without touching the application code?
I figured it out.
Install IIS URL Rewrite Module and then edit web.config of the web application and add the following in system.webServer node:
<rewrite>
<outboundRules>
<rule name="Rewrite Location Header" preCondition="IsRedirection" enabled="true">
<match serverVariable="RESPONSE_Location" pattern="http[s]{0,1}://localhost/(.*)" negate="true" />
<conditions>
</conditions>
<action type="Rewrite" value="http://{HTTP_HOST}/error.html" replace="true" />
</rule>
<preConditions>
<preCondition name="IsRedirection">
<add input="{RESPONSE_STATUS}" pattern="3\d\d" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>
I'm trying to configure redirects to prepare the switch from an ASP to an MVC website. The IIS wildcard redirects are working fine, but I cannot figure out how to preserve the query parameters.
Example:
<system.webServer>
<httpRedirect enabled="true" exactDestination="true" httpResponseStatus="Permanent">
<add wildcard="/EmailAddress-Verify.aspx" destination="https://foo.com/account/email-verify$Q" />
</httpRedirect>
</system.webServer>
I read that $Q will preserve the query params but it's not working. Google could not find anything on that issue.. is there anything I'm missing here?
Thanks!
So this configuration was working perfectly! I just had to clear my browser cache since the redirection is Permanent and the browser 'remembered' my previous configuration while I was playing with the config file. My bad!
Y̶o̶u̶ ̶h̶a̶v̶e̶ ̶e̶x̶a̶c̶t̶D̶e̶s̶t̶i̶n̶a̶t̶i̶o̶n̶=̶"̶t̶r̶u̶e̶"̶.̶ However, more importantly, when you want to have more granular control with redirects, you're much better off using the URL Rewrite module. Your bit would be something like the following (not tested and quickly written up):
<rewrite>
<rules>
<rule name="Email Address Verify Redirect" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{REQUEST_URI}" pattern="^EmailAddress-Verify.aspx(.*)$" />
</conditions>
<action type="Redirect" redirectType="Permanent" url="https://foo.com/account/email-verify{R:1}" />
</rule>
...
</rewrites>
Oh, now that I think about it, you could probably just do a straight up pattern without the following wildcard and just appendQueryString="True" in the action.
I have the following in web.config...
<httpCookies httpOnlyCookies="true" requireSSL="true" />
These settings are being applied to my site's cookies correctly except for a cookie called 'UMB_PANEL' with a path of '/umbraco'.
I have tried adding a web.config file with duplicate settings into the '/umbraco' folder but it has no effect.
How can I get these cookie settings to apply to the whole site?
Bit late to the party with this but you can achieve what you need with Outbound Rules.
This will rewrite any cookies without Secure=true to be secure:
<outboundRules>
<rule name="Add Secure Cookies" preCondition="No Secure">
<match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false"/>
<action type="Rewrite" value="{R:0}; Secure=true"/>
<conditions/>
</rule>
<preConditions>
<preCondition name="No Secure">
<add input="{RESPONSE_Set_Cookie}" pattern="."/>
<add input="{RESPONSE_Set_Cookie}" pattern="; Secure=true" negate="true"/>
</preCondition>
</preConditions>
</outboundRules>
You can tweak the pattern if you need it to match a specific cookie, e.g: ^(UMB_PANEL).*
I believe that cookie only is set if you log in to the Umbraco admin area.
http://our.umbraco.org/forum/using/ui-questions/20674-Does-Umbraco-make-use-of-Cookies-anywhere-in-the-core-product
My guess is that your main web site users would never get that cookie. I realize that isn't directly answering the question, but perhaps it makes it a moot point?
Is it possible to deploy a web application in the cloud and configure it so that it appears like a subfolder in the company URL.
E.g.
www.mycompany.com //main company web site
www.mycompany.com/products // hits a web application in the cloud (azure for example)
thanks
Having in mind it is easier to do with sub-domain and CNAME, I think that what you are looking for is the IIS URL Rewrite module.
The following base rules are taken from this IIS Forum's thread, as a similar situation is described and samples rules are given. You may use them as a base:
<system.webServer>
<rewrite>
<rules>
<rule name="CanonicalHostNameRule">
<match url="(.+)/(.*)" />
<conditions>
<add input="{HostToRedirect:{HTTP_HOST}/{R:1}}" pattern="(.+)" />
</conditions>
<action type="Redirect" url="http://{C:1}/{R:2}" />
</rule>
</rules>
<rewriteMaps>
<rewriteMap name="HostToRedirect">
<add key="domain.com/mail" value="mail.domain.com" />
<add key="domain.net/mail" value="mail.domain.net" />
</rewriteMap>
</rewriteMaps>
</rewrite>
</system.webServer>
You may also check this SO question, as it is providing some guides on the problem you are trying to solve.
UPDATE WITH SOLUTION
This is totally achievable with URL Rewrite module for IIS in combination with ARR module. Then you need to set a Reverse Proxy rule that will rewrite all /products requests to the corresponding web app in the cloud. Your rule will look something like that:
<system.webServer>
<rewrite>
<rules>
<rule name="ReverseProxyInboundRule1" patternSyntax="ECMAScript" stopProcessing="true">
<match url="(^products)" />
<conditions>
<add input="{CACHE_URL}" pattern="^(https?)://" />
</conditions>
<action type="Rewrite" url="{C:1}://myvompany.cloudapp.net/" />
</rule>
</rules>
</rewrite>
</system.webServer>
You can tweak this later to fit your exact need, but with the above sample I just achieved what you are looking for.
I'm not a DNS expert, but I think you would find it more straightforward to route products.mycompany.com to your Windows Azure web site than a subfolder.
IIS support redirects
I also like the answer from David on making it a web site and use cname to map products.mycompany.com
You could do both. Redirect www.mycompany.com/products to products.mycompany.com