How can I set the Secure flag on an ASP.NET Session Cookie, so that it will only be transmitted over HTTPS and never over plain HTTP?
In the <system.web> element, add the following element:
<httpCookies requireSSL="true" />
However, if you have a <forms> element in your system.web\authentication block, then this will override the setting in httpCookies, setting it back to the default false.
In that case, you need to add the requireSSL="true" attribute to the forms element as well.
So you will end up with:
<system.web>
<authentication mode="Forms">
<forms requireSSL="true">
<!-- forms content -->
</forms>
</authentication>
</system.web>
See here and here for MSDN documentation of these elements.
There are two ways, one httpCookies element in web.config allows you to turn on requireSSL which only transmit all cookies including session in SSL only and also inside forms authentication, but if you turn on SSL on httpcookies you must also turn it on inside forms configuration too.
Edit for clarity:
Put this in <system.web>
<httpCookies requireSSL="true" />
Things get messy quickly if you are talking about checked-in code in an enterprise environment. We've found that the best approach is to have the web.Release.config contain the following:
<system.web>
<compilation xdt:Transform="RemoveAttributes(debug)" />
<authentication>
<forms xdt:Transform="Replace" timeout="20" requireSSL="true" />
</authentication>
</system.web>
That way, developers are not affected (running in Debug), and only servers that get Release builds are requiring cookies to be SSL.
Building upon #Mark D's answer I would use web.config transforms to set all the various cookies to Secure. This includes setting anonymousIdentification cookieRequireSSL and httpCookies requireSSL.
To that end you'd setup your web.Release.config as:
<?xml version="1.0"?>
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
<system.web>
<httpCookies xdt:Transform="SetAttributes(httpOnlyCookies)" httpOnlyCookies="true" />
<httpCookies xdt:Transform="SetAttributes(requireSSL)" requireSSL="true" />
<anonymousIdentification xdt:Transform="SetAttributes(cookieRequireSSL)" cookieRequireSSL="true" />
</system.web>
</configuration>
If you're using Roles and Forms Authentication with the ASP.NET Membership Provider (I know, it's ancient) you'll also want to set the roleManager cookieRequireSSL and the forms requireSSL attributes as secure too. If so, your web.release.config might look like this (included above plus new tags for membership API):
<?xml version="1.0"?>
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
<system.web>
<httpCookies xdt:Transform="SetAttributes(httpOnlyCookies)" httpOnlyCookies="true" />
<httpCookies xdt:Transform="SetAttributes(requireSSL)" requireSSL="true" />
<anonymousIdentification xdt:Transform="SetAttributes(cookieRequireSSL)" cookieRequireSSL="true" />
<roleManager xdt:Transform="SetAttributes(cookieRequireSSL)" cookieRequireSSL="true" />
<authentication>
<forms xdt:Transform="SetAttributes(requireSSL)" requireSSL="true" />
</authentication>
</system.web>
</configuration>
Background on web.config transforms here: http://go.microsoft.com/fwlink/?LinkId=125889
Obviously this goes beyond the original question of the OP but if you don't set them all to secure you can expect that a security scanning tool will notice and you'll see red flags appear on the report. Ask me how I know. :)
secure - This attribute tells the browser to only send the cookie if the request is being sent over a secure channel such as HTTPS. This will help protect the cookie from being passed over unencrypted requests. If the application can be accessed over both HTTP and HTTPS, then there is the potential that the cookie can be sent in clear text.
Related
Using only the web.config file, I need to redirect from one domain to another, and I also need to redirect each individual page (there are 25 of them) in my website to its corresponding page under the new domain. And the renamed /index.htm page, which is the home page (same as the domain name alone) and which is /ghostwriter.htm needs to be redirected to its corresponding page, which will also be the new home page.
Thus: http://www.rainbowriting.com/ is the same page as http://www.rainbowriting.com/ghostwriter.htm (the index page).
You need to make sure ASP.NET is handling .htm files (set this in IIS). Then configure web.config:
<configuration>
<location path="oldPage1.htm">
<system.webServer>
<httpRedirect enabled="true" destination="http://www.newDomain.com/newPage1.htm" httpResponseStatus="Permanent" />
</system.webServer>
</location>
<location path="oldPage2.htm">
<system.webServer>
<httpRedirect enabled="true" destination="http://www.newDomain.com/newPage2.htm" httpResponseStatus="Permanent" />
</system.webServer>
</location>
<!-- etc. -->
</configuration>
I am using Docusign API to create and retrieve "envelopes" for signing. (docusign.com for more info).
Basically i am having some issues trying to adquire a SOAP trace based on their instructions https://github.com/docusign/DocuSign-eSignature-SDK/wiki/How-to-acquire-a-SOAP-trace-for-debugging-%28Windows%29
And here is where i am needing some help. Has anyone, using these intructions from Docusing support (that comes from the Microsoft page and according to one Community Comments, seems not to work) been able to create a trace?
i have tried all possible combinations and i don't see no log file created so far.
I really appreciate any help you can provide me with.
Thanks
Here's the trace config I use in my App.config for DocuSign. You'll need to clean up the log a bit (look for "<<<" and ">>>" before/after each call.
First add this to the system.serviceModel section:
<diagnostics>
<messageLogging
logEntireMessage="true"
logMalformedMessages="true"
logMessagesAtServiceLevel="true"
logMessagesAtTransportLevel="true"
maxMessagesToLog="50"
maxSizeOfMessageToLog="500000000" />
</diagnostics>
Then add this to the configuration section:
<system.diagnostics>
<trace autoflush="true" />
<sources>
<source name="System.Net" tracemode="protocolonly" maxdatasize="52428800" >
<listeners>
<add name="MyTraceFile"/>
</listeners>
</source>
</sources>
<sharedListeners>
<!-- Set path here. Make sure the app has permission to write to the location.-->
<add
name="MyTraceFile"
type="System.Diagnostics.TextWriterTraceListener"
initializeData="c:\temp\DsTrace.log" />
</sharedListeners>
<switches>
<add name="System.Net" value="Verbose" />
</switches>
</system.diagnostics>
One more note, the DocuSign staff will really appreciate it if you remove the PDFBytes elements from your trace before you send it, unless that's needed for what you're having them troubleshoot.
We are having a problem on our web server which is driving us mad!!
When we define defaultDocument in our web.config we always get the dreaded 403.14 Http error. The config is (inside system.webserver):
<defaultDocument enabled="true">
<files>
<clear/>
<add value="~/Forms_Mosaic/Our System.aspx"/>
</files>
</defaultDocument>
We are using IIS 7.0 and if we turn directory browsing on we can happily browse to the specified file. We have the folders that it reside in set to ANONYMOUS LOGON user credentials and can also access the page with a fully qualified url.
Can anyone suggest why we keep getting this error?
Thanks.
I came across a similar issue today and found that the tilde (~) and leading forward slash were causing the issue. For example, while the following doesn't seem to work:
<defaultDocument enabled="true">
<files>
<add value="~/test.htm" />
</files>
</defaultDocument>
specifying the file just as a plain-ole-relative URL worked fine, at least for me:
<defaultDocument enabled="true">
<files>
<add value="test.htm" />
</files>
</defaultDocument>
Note though that if your desired default document's in a subfolder relative to the application root (as seems to be the case for you) then when you browse to the subfolder you're going to get the same issue. For example, if you browse to http://example.com/Forms_Mosaic/ IIS'll be looking for a default document at http://example.com/Forms_Mosaic/Forms_Mosaic/Our%System.aspx which obviously won't exist.
Strikes me that a default.aspx in the root folder with a Server.Transfer or Response.Redirect might be a better solution in the specific case of the OP, rather than using a site-wide setting to handle what's really a folder-specific problem.
The value you specified is not a valid URL. Try:
<defaultDocument enabled="true">
<files>
<clear/>
<add value="~/Forms_Mosaic/Our%20System.aspx"/>
</files>
</defaultDocument>
You may also get this error if you are using urlMappings. In this case, the value will have to be the non-mapped value. So for the following situation, you will see the error if the value is page-b.aspx but not if it is page-a.aspx.
<urlMappings>
<add mappedURL="~/page-a.aspx" url="~/page-b.aspx" />
</urlMappings>
I have the following authorization settings in my web.config:
<authorization>
<deny users="?" />
</authorization>
This deny's all anonymous access to the application accept the login page. In addition to this I am using authorization within each controller action via a custom authorize attribute.
I have one additional action that I would like to expose publicly in addition to the login page. This particular action does not have the authorization attribute on it. I have tried to make this view (resetPassword view) public by using the location tag in the web.config file like so:
<location path="Account/ResetPassword" allowOverride="false">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
In the path attribute above I have tried both the view as well as the action path, but it doesnt allow public access to the action.
I have even tried to put this view in a separate folder within the shared folder and put a separate web.config file to make that folder public like so:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</configuration>
None of the above configuration allow me to make this particular action (view) public. Can anyone suggest any other solutions, or what I may be doing wrong in this case?
Thanks in advance.
You can remove the authorization tag from the web config and just use the authorize attribute.
The action without the Authorize atttribute set will be public.
I had the same problem some time ago. Please have a look to this question and its answers
If you want to do it using the web config then use code like this
<!-- Allow access to _assets directory -->
<location path="_assets">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
In your sample you are using "*" but you should use "?" ;)
What is the difference between the customErrors and httpErrors sections of the web.config file in ASP.NET MVC applications?
What are the guidelines for using each section?
*Updated April 2016
The customErrors attribute is used when the .net code is throwing an exception (404, 403, 500 etc) and the httpErrors attribute is used when IIS itself is throwing an exception.
/myfakeextensionslessurl --> httpErrors 404
/myfakeaspsx.aspx --> customErrors 404
/myfakeimage.jpg --> httpErrors 404
/throw500.apx --> customErrors 500
/throw500 --> customErrors 500
There are a lot of pitfalls trying to configure this correctly. So if you are looking for a quick example, the best 2 options you have are:
Example 1: Using html pages
<system.web>
<customErrors mode="RemoteOnly" defaultRedirect="/Error500.html" redirectMode="ResponseRewrite">
<error statusCode="403" redirect="/Error403.html" />
<error statusCode="404" redirect="/Error404.html" />
<error statusCode="500" redirect="/Error500.html" />
</customErrors>
</system.web>
<system.webServer>
<httpErrors errorMode="DetailedLocalOnly" existingResponse="Auto">
<remove statusCode="403" />
<remove statusCode="404" />
<remove statusCode="500" />
<error statusCode="403" responseMode="File" path="Error403.html" />
<error statusCode="404" responseMode="File" path="Error404.html" />
<error statusCode="500" responseMode="File" path="Error500.html" />
</httpErrors>
</system.webServer>
Example 2: using aspx pages
<system.web>
<customErrors mode="RemoteOnly" defaultRedirect="/Error500.html" redirectMode="ResponseRewrite">
<error statusCode="403" redirect="/Error403.aspx" />
<error statusCode="404" redirect="/Error404.aspx" />
<error statusCode="500" redirect="/Error500.aspx" />
</customErrors>
</system.web>
<system.webServer>
<httpErrors errorMode="DetailedLocalOnly" existingResponse="Auto">
<remove statusCode="403" />
<remove statusCode="404" />
<remove statusCode="500" />
<error statusCode="403" responseMode="ExecuteURL" path="Error403.aspx" />
<error statusCode="404" responseMode="ExecuteURL" path="Error404.aspx" />
<error statusCode="500" responseMode="ExecuteURL" path="Error500.aspx" />
</httpErrors>
</system.webServer>
And in the aspx error pages you need to do something like this (example 404 page):
<%
Response.StatusCode = 404;
Response.TrySkipIisCustomErrors = true;
%>
Note: Using extension less urls in the customErrors section is not possible!. (without hacks)
One work around is to disable custom errors and let http errors handle the custom page. A friend has created such setup, when I find some time, I will share the code.
Background
A good custom error page will:
Show the real exception when you visit the problem page locally
Show a custom page when you visit the problem page remotely
Will not redirect, but simply show the error page content (because of seo reasons)
Will show the correct status code
So to clarify some options in our config:
<customErrors mode="RemoteOnly". You can specify here: On, Off, RemoteOnly.
On = Always show custom error pages
Off = Always show the real error
RemoteOnly = Show the error locally, but show the custom error page remotely.
So we want RemoteOnly for statement 1
<customErrors redirectMode="ResponseRewrite". You can specify here: ResponseRedirect or ResponseRewrite. The ResponseRedirect mode will redirect the error page to the custom error page. For a link crawler (SEO), this will result in 302 -> 500, but you want the link crawler to get a 500 error.
<httpErrors errorMode="DetailedLocalOnly". This the equivalent of the customErrors mode. Options that you have: Custom, Detailed, DetailedLocalOnly.
A good blog post which helped me a lot is: http://benfoster.io/blog/aspnet-mvc-custom-error-pages
Disclaimer: This is from my experience and not proven fact.
Both are used to define error handling for a website, but different software refers to different config elements.
customErrors are a legacy (backwards compatable) element, used by Visual Studio Development Server (aka. VSDS or Cassini).
httpErrors are the new element which is only used by IIS7.
This highlights the possible problem when developing ASP.NET websites while using VSDS instead of the local IIS.
Also, refer to this post by myself about how to handle error messages with IIS7, if you wish to have full control of the error output.
Summary:
Developing in VSDS - use customErrors
Publishing the site to IIS6 - use customErrors
Publishing the site to IIS7 - use httpErrors.
and if you develop with VSDS but publish to IIS7, then i guess u'll need both.
<customErrors> versus <httpErrors>
<customErrors>
still available in IIS7+
specify custom error pages for requests handled by ASP.NET
only handles requests within the ASP.NET application
static files such as HTML files or directory (“friendly”) URLs are not handled
<httpErrors>
introduced in IIS7
specify custom error pages for requests handled by IIS
handles requests within the ASP.NET application AND/OR handles requests outside the - ASP.NET application *
all files and URLs are handled *
Note: it is no longer necessary to use customErrors
Quoted source: Custom 404 and error pages in ASP.NET (excellent article)
ExecuteURL serves dynamic content such as an .aspx page (the path value has to be a server relative URL):
<system.webServer>
<httpErrors errorMode="Custom" existingResponse="Auto" defaultResponseMode="ExecuteURL" >
<remove statusCode="404"/>
<error statusCode="404" responseMode="ExecuteURL" path="/error.aspx" />
</httpErrors>
</system.webServer>
File serves a custom error file, such as a .html page:
<system.webServer>
<httpErrors errorMode="Custom" existingResponse="Auto" defaultResponseMode="File" >
<remove statusCode="404"/>
<error statusCode="404" path="404.html" />
</httpErrors>
</system.webServer>
Reference: HTTP Errors (www.iis.net)
for more details, read the www.iis.net link above
Errors section in web config is for providing custom http error handling approach there are two section, one customErrors inside the section system.web and another httpErrors inside the section system.webServer (as given below)
customErrors :
This section was in use before IIS 7 introduced, IIS 6 5 and before fully use this section for handling custom http errors according to http status code.
httpErrors :
IIS 7 and later use this section as well as customErrors section to handle custom http errors based on their file extensions if requested page extension register with ISAPI dll (.aspx, ashx, .asmx, .svc etc) like index.aspx then IIS pick up setting from customeErrors section else it pick up setting from httpErrors (IIS 7 hosted mode must be set as integrated mood not classic)
below are the examples that is for 404 error handling check link :
httperrors vs customerrors in webconfig , iis, asp.net