We have an externally facing application which was penetration-tested by an external security company. Application has been developed on ASP.NET MVC4 and running on IIS8/Windows 2012 Server.
One of the vulnerabilities reported was ASPXAUTH is not secure. When I checked on the cookie inspector, there are some cookies with Secure flag. But ASPXAUTH was not one of them.
I did a bit of research, and set these flags below on the web.config
<forms loginUrl="~/Account/Login" timeout="2880" requireSSL="" name="AppName" />
and
<httpCookies httpOnlyCookies="true" requireSSL="true" />
Despite these settings, the authentication cookie is not marked as secure. I assumed that thse flags should be enough to mark application cookies as secure, but there are a few other cookies which are also not marked as secure. I am not too concerned about them as they don't contain any sensitive information. But I would like to flag ASPXAUTH as secure.
My questions are,
thanks.
Launch Google Chrome and go to either WEB or CAWEB portal website. Press F12 (from Keyboard) to launch Developer Tools. Go to Application tab -> Cookies ( left Panel) and ensure the Secure column was ticked.
If the application can be accessed over both HTTP and HTTPS, then there is the potential that the cookie can be sent in clear text. Solution Suggested: For each cookie sent over SSL in your web-site, add the "Secure" flag to the cookie.
I found this piece of code to which made my authentication cookie secure. I cant remember the source of this but if you add it to your global.asax, it sorts the issue. I do not know why but requireSSL=true in your tag was not enough to make it secure.
protected void Application_EndRequest(Object sender, EventArgs e)
{
string authCookie = FormsAuthentication.FormsCookieName;
foreach (string sCookie in Request.Cookies)
{
if (sCookie.Equals(authCookie))
{
// Set the cookie to be secure. Browsers will send the cookie
// only to pages requested with https
var httpCookie = Response.Cookies[sCookie];
if (httpCookie != null) httpCookie.Secure = true;
}
}
}
Your issue looks to be that because your form is incorrectly configured. You have:
<forms ... requireSSL="" ... />
and you should have
<forms ... requireSSL="true" ... />
According to Microsoft the requireSSL
attribute in the httpCookies
tag is overridden by the requireSSL
attribute of the forms
tag. You didn't set the value, but you specified it may cause IIS to use the default of false
. You should set it to true
.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With