If my login pages are https, does it matter if "requireSSl" is true in the forms tab of the web config?
Currently I am redirecting pages with IIS to HTTPS. When I set requiressl it seems to cause problems.
Can someone put the two settings in perspective. thanks
if you set https at the server level then requireSsl does not matter (setting it on or off should not make any difference). After setting https required, set a redirect as mentioned in this article:
http://www.jppinto.com/2009/01/automatically-redirect-http-requests-to-https-on-iis-6/
====
reference
http://msdn.microsoft.com/en-us/library/system.web.security.formsauthentication.requiressl.aspx
You can specify in the Web.config file for your ASP.NET application whether SSL (Secure Sockets Layer) is required to return the forms-authentication cookie to the server by setting the requireSSL attribute
Related
I have an ASP.NET webforms/mvc hybrid app deployed on IIS 10. I have two bindings for this app one with just a localhost:portNo binding and another with DNSDomainName:portNo binding. Both are Http bindings. SSL is turned off. I get the error
"This attempt to set a cookie via a Set-Cookie was blocked because it had the "Secure" attribute but was not received over a secure connection."
when I test the DNSDomainName:portNo binding (it is failing to set sessions). The localhost:portNo binding works without any issues. Why is this happening? and how do I fix this?
Your cookies are configured to require an HTTPS connection. When you try to set them on a non-secure connection, they will be rejected.
Check your web.config file settings for:
<httpCookies requireSSL="true" />
Change that setting to false, and your session cookies should start working.
NB: Once you publish your site, it should only ever be served over HTTPS, and this setting should be changed back to true.
Secure Cookie Attribute | OWASP Foundation
The localhost binding works because most browsers have special-case code to treat connections to that host name as "secure", even if they don't use HTTPS.
Locally-delivered resources such as those with http://127.0.0.1 URLs,
http://localhost and http://*.localhost URLs (e.g.
http://dev.whatever.localhost/), and file:// URLs are also considered
to have been delivered securely.
Secure contexts - Web security | MDN
I have a request to allow customers to select to authenticate to our service using mTLS (Mutual Authentication). The problem I have is I want to allow this only on one endpoint and only in special circumstances. I do not want to globally accept or require Client Certificates on each request. The setting in IIS allows Ignore, Accept, or Require.
When I set it to Accept and browse to the site in Chrome I get this pop-up
Is there a way to accept the certificates if they are passed to a specific endpoint but not change the behavior of other endpoints?
To enable SSL Negotiation settings on a specific route you can apply that setting to a specific location
<location path="Route/Goes/Here">
<system.webServer>
<security>
<access sslFlags="SslNegotiateCert"/>
</security>
</system.webServer>
</location>
Depending on how your IIS is setup this may cause a 500 error saying "This configuration section cannot be used at this path. This happens when the section is locked at a parent level." If that happens you need to enable the SSL Settings Read/Write flag as seen here:
Or using Powershell:
Set-WebConfiguration //System.WebServer/Security/access[#sslFlags] -metadata overrideMode -value Allow -PSPath IIS:/
I created a project using asp.net mvc 5.1, asp.net identity 2.0. After I deploy it to IIS, when I go to secure page 'https://www.xxxx.com/Account/Login', after login, if I go to https://www.xxxx.com. Request.IsAuthenticated return true on _LoginPartial.cshtml page, but go to http://www.xxxx.com, always return false.
It sounds like you may have the option set to only send the authentication cookie over HTTPS, therefore if you navigate to a page over HTTP, the authentication cookie is not sent and the application believes you to be unauthenticated.
The setting in question is requireSSL in the system.web/authentication/forms section
<authentication mode="Forms">
<forms name="auth" loginUrl="~/login" requireSSL="true" />
</authentication>
and this controls whether the secure property is used on the authentication cookie.
Since you are using HTTPS, I would recommend preventing the site from being navigated over HTTP.
RequireSSL will only allow the cookie to be transferred across https. In case you have this specific requirement then you need to take additional precaution in the code.
But beware, of what you are doing at this point.
You can use Request.IsSecureConnection at appropriate place. This could be in the module or in the base class on or in the filter.
An out of dated article is here, but can serve as a pointer.
http://r2d2.cc/2011/08/05/how-to-switch-between-http-and-https-in-asp-net-mvc2-and-allow-ajax-requests-from-site-master/
Caution: Use with care, as you may need to take additional precaution on the server to avoid hijacking.
I Recently set an aspnet application under win 7 IIS 7 and got enabled SSL for this app.
the app works great under ssl, but when i change the schema from https to http, using a response.redirect, the request get a timeout, i am stuck with it, any idea is welcome.
regards
You cannot switch protocols unless you provide an absolute URL. The reference must be absolute.
make use of the encryptedUri and unencryptedUri attributes. "unencryptedUri" may be specified to send the user back to another domain or specific URI when the module removes security.
You can have a custom configuration..
<secureWebPages
mode="RemoteOnly"
encryptedUri="secure.mysite.com"
unencryptedUri="www.mysite.com"
maintainPath="True"
warningBypassMode="AlwaysBypass">
...
</secureWebPages>
An example would be to redirect secure requests to secure.mysite.com and requests that don't need to be secure could be redirected back to www.mysite.com. maintainPath is used in conjunction with the above attributes. When the module redirects to the encryptedUri or unencryptedUri, it appends the current path before sending users on their way.
How to respect "Serve static content from a cookieless domain" page speed rule in IIS6?
To create a cookieless site (or subdomain, which is a very common best-practice) in IIS6/IIS7/IIS7.5 is simple : you need to tell the website that you are not to use cookies :) Which means in IIS terms, not to use a session.
This can be achieved in IIS6/IIS7 via two ways.
Modifying the Web.config file (my personal recommendation)
Using the IIS Manager GUI to find the setting and changing it.
IMPORTANT
Before you do any testing, you must must must clear all cookies (or all cookies for the domain u are testing) otherwise, they will get passed along even if u have done all the steps.
1. Via Config File
You need to define the session state to off.
<system.web>
<sessionState cookieName="What_ever" mode="Off" />
</system.web>
NOTE: Please note that the attribute cookieless (true|false) does NOT mean 'send cookies/do not sent cookies). That's for using sessions with/without cookies ... and passes some cookie guid into the url instead (if set to true).
2. Via Gui
Hope this Helps (i assume u know how to test that no cookies are working/not working...)
What this means is that your content needs to come from a domain that has no cookies attached to it. StackOverflow.com is an example of a site that does this. You will notice that all SO's static content comes from a domain called sstatic.net.
http://sstatic.net/stackoverflow/all.css
http://sstatic.net/js/master.js
This is so that the client and the server don't have to waste resources on actually parsing and handling cookie data. The good news is, you can use a sub-domain, assuming that you set your cookie path correctly.
Yahoo Best Practices for Speeding Up
Your Web Site
Use Cookie-free Domains for Components
When the browser makes a request for a
static image and sends cookies
together with the request, the server
doesn't have any use for those
cookies. So they only create network
traffic for no good reason. You should
make sure static components are
requested with cookie-free requests.
Create a subdomain and host all your
static components there. If your
domain is www.example.org, you can
host your static components on
static.example.org. However, if you've
already set cookies on the top-level
domain example.org as opposed to
www.example.org, then all the requests
to static.example.org will include
those cookies. In this case, you can
buy a whole new domain, host your
static components there, and keep this
domain cookie-free. Yahoo! uses
yimg.com, YouTube uses ytimg.com,
Amazon uses images-amazon.com and so
on.
Another benefit of hosting static
components on a cookie-free domain is
that some proxies might refuse to
cache the components that are
requested with cookies. On a related
note, if you wonder if you should use
example.org or www.example.org for
your home page, consider the cookie
impact. Omitting www leaves you no
choice but to write cookies to
*.example.org, so for performance reasons it's best to use the www
subdomain and write the cookies to
that subdomain.
create subdomain ( for example static.example.com ) and store all static content(images, css, js) here