So, application insights can track a users’ session, and if they are a returning user – and it does this with cookies…Continue reading “Application Insights – GDPR considerations”
I tried logging into Sitecore’s App Center, and got the following error:
The credentials used to log in to the Sitecore App Center cannot access the license used on this server
This was in Chrome. Strangely, I discovered that I could log in through Chrome Canary. What’s different?
So a Sitecore site I’ve been working on recently underwent a penetration test, which turned up an interesting item. The ASP.NET_SessionId and SC_ANALYTICS_GLOBAL_COOKIE cookies aren’t set with the ‘Secure’ flag. Further, my own checking showed that the .ASPXAUTH token was also set without the ‘Secure’ flag.
As the entire site is only served over HTTPS, this seems to be a bit remiss.
Fortunately, there are a couple of easy fixes to this that can be set in the Web.config
<httpCookies> set requireSSL:
<httpCookies requireSSL="true" />
<forms> set requireSSL too.
<forms name=".ASPXAUTH" cookieless="UseCookies" requireSSL="true" />
This latter one is needed for the .ASPXAUTH cookie, but that seems to do it.
Don’t forget to set the HTTPOnly flag as appropriate for your cookies too!