Secure your Sitecore Cookies

2016-10-212016-10-21 Andy BurnsASP.NET, cookies, HTTP, HTTPS, Security, SSL2 Comments

So a Sitecore site I’ve been working on recently underwent a penetration test, which turned up an interesting item. The ASP.NET_SessionId and SC_ANALYTICS_GLOBAL_COOKIE cookies aren’t set with the ‘Secure’ flag. Further, my own checking showed that the .ASPXAUTH token was also set without the ‘Secure’ flag.

As the entire site is only served over HTTPS, this seems to be a bit remiss.

Fortunately, there are a couple of easy fixes to this that can be set in the Web.config

Under <System.Web> and <httpCookies> set requireSSL:

<httpCookies requireSSL="true" />

And in <forms> set requireSSL too.

<forms name=".ASPXAUTH" cookieless="UseCookies" requireSSL="true" />

This latter one is needed for the .ASPXAUTH cookie, but that seems to do it.

Don’t forget to set the HTTPOnly flag as appropriate for your cookies too!

ASP.NET CustomErrors can't capture HTTP 401s…

2008-09-152014-11-30 Andy Burns.NET, ASP.NET, ErrorLeave a comment

It’s been a mad few weeks, so sorry for the posts tailing off a bit. Anyway, let’s get back into it with an interesting (and fairly short) problem.

ASP.NET applications can have custom error pages for the different HTTP responses. For example, you can have a custom “404 – Page not found”. Now, this can be a good idea, particularly for errors that produce stack traces or provide potentially sensitive information about the workings of your code. Or, heck, maybe you just want to present a nice looking error page. Continue reading “ASP.NET CustomErrors can't capture HTTP 401s…” →