Portal Engine Questions on portal engine and web parts.
Version 7.x > Portal Engine > How to secure ASP.NET_SessionId View modes: 
User avatar
Member
Member
Lokendra Jain - 6/14/2013 2:18:46 AM
   
How to secure ASP.NET_SessionId
Hi Martin,

Is there any way to secure ASP.NET_SessionId cookie in kentico cms 7.0.
When i am using ssl and login with an account it should show the ASP.NET_SessionId cookie as secure.
cookiename value path domain http only
ASP.NET_SessionId=2yy0xl2cml0mzdww4dza3oq0; path=/; domain=localhost; HttpOnly

Could you please suggest me .

Thanks
Lokendra Jain

User avatar
Kentico Legend
Kentico Legend
Brenden Kehren - 6/14/2013 6:56:31 AM
   
RE:How to secure ASP.NET_SessionId
This would be more of an IIS/ASP.NET setting/feature and not speficically related to Kentico. A quick google search shows a few suggestions regarding settings in IIS and some coding practices.

Best of luck!

User avatar
Member
Member
Lokendra Jain - 6/17/2013 6:02:46 AM
   
RE:How to secure ASP.NET_SessionId
Hi FroggEye,

Thanks for your response . Yes you are right i have written the code to secure the ASP.NET_SessionId cookie. I am facing an issue while i am resetting password. when i am using the secure(ASP.NET_SessionId) cookie ,then reset password is showing the error message "This link is no longer valid " . If i am not securing the ASP.NET_SessionId cookie and Resetting password then it works fine.

Could you please suggest me.

Thanks
Lokendra Jain

User avatar
Member
Member
dmpcohaesus - 7/5/2013 4:24:00 AM
   
RE:How to secure ASP.NET_SessionId
I have the same issue, when you set the cookie as secure the password reset functionality of the site breaks.

Might be because the URL is not https since marking the cookie secure only makes it so its only sent on https.

User avatar
Member
Member
Lokendra Jain - 7/5/2013 4:32:37 AM
   
RE:How to secure ASP.NET_SessionId
Hi dmpcohaesus,

I have send the url on https but not working. I have written custom code to secure the cookie except the reset password page. but when i return from reset password to any page the cookie is unsecure. I haven't resolved the issue yet.


Thanks
Lokendra Jain

User avatar
Kentico Support
Kentico Support
kentico_jurajo - 7/8/2013 2:21:08 AM
   
RE:How to secure ASP.NET_SessionId
Hi,

Have you tried setting the cookies to be HTTPOnly - so they cannot be read from javascript?
Another option is cookie encryption.
Forms protection
Or, another option is to configure SSL/HTTPS.

Best regards,
Juraj Ondrus

User avatar
Member
Member
dmpcohaesus - 7/22/2013 8:53:51 AM
   
RE:How to secure ASP.NET_SessionId
This is not acceptable unfortunately

We have our application Tested by a security firm so it can be accepted. For reasons I can not share this is legal requirement that the site is secure.

One of the test run is the owasp Secure Flag on cookies rule https://www.owasp.org/index.php/SecureFlag

This means that the session Cookie can only be transferred over https and not over HTTP

What we do is as soon as the user login all their following requests will be over https so they will be forced to browse the site on HTTPS however it is possible to visit the site on HTTP BUT they should not be able to see their secured content over it.

So the cookie must be set as a secure cookie.

However this breaks Kentico functionality.

Can you provide any assistance, this issue is very simple to reproduce you can get a clean copy of kentico 7 and set the cookie as secure and see it for yourself.

Regards

User avatar
Kentico Support
Kentico Support
kentico_jurajo - 7/26/2013 1:42:58 AM
   
RE:How to secure ASP.NET_SessionId
Hi,

Have you tried using the

<httpCookies httpOnlyCookies="true" requireSSL="true" lockItem="true" />

and also set the logon page and all the pages that are set to require authentication to use SSL including the page with the password reset?

Best regards,
Juraj Ondrus

User avatar
Member
Member
Lokendra Jain - 8/21/2013 1:58:23 AM
   
RE:How to secure ASP.NET_SessionId
Hi Juraj,

I have added this key in webconfig and it is securing session key but we are facing issue with reset password functionality when we add this key in config file.

Reset password expiring when we are sending it to SSL.

Could you please suggest how we can ignore a page (resetpassword) from SSL?

Thanks
Lokendra

User avatar
Kentico Legend
Kentico Legend
Brenden Kehren - 8/21/2013 7:11:22 AM
   
RE:How to secure ASP.NET_SessionId
In the page's properties go to Security then select Requires SSL = Never. This will automatically redirect a SSL request to a non-SSL request.

User avatar
Member
Member
Lokendra Jain - 8/27/2013 6:27:22 AM
   
RE:How to secure ASP.NET_SessionId
I have used <httpCookies httpOnlyCookies="true" requireSSL="true" lockItem="true" /> to secure the cookie but it is breaking the reset password functionality. I have tried with "require ssl= never" on the page property, but it still breaking the reset-password functionality.

Please suggest other way if any.

Thanks
Lokendra Jain

User avatar
Kentico Support
Kentico Support
kentico_jurajo - 9/7/2013 1:31:42 AM
   
RE:How to secure ASP.NET_SessionId
Hello,

Could you please describe the issue in details? I am unable to reproduce it.

I have set my IIS to use SSL certificate as well as the entire web site in my Kentico is set to use SSL. I have secured the session cookie as mentioned in this thread - using the requires SSL for Forms tag as well as for the httpCookies tag. Cleared all the cache and history in the browser and visited the site.
After I logged it, session cookie is encrypted.
Then I logged out and requested password reset. I have copied the link from the e-mail (since I am using local SMTP Server) and pasted it to the browser.
The reset password page is loaded (https) and I am able to reset the password just fine.
Am I missing something?

Best regards,
Juraj Ondrus