Categories
Information Security & Privacy Software Engineering

SSL Termination and Secure Cookies/requireSSL with ASP.NET Forms Authentication

If you’re running a HTTPS-only web application, then you probably have requireSSL set to true in your web.config like so:

<httpCookies requireSSL="true" httpOnlyCookies="true"

With requireSSL set, any cookies ASP.NET sends with the HTTP response – in particular, the forms authentication cookies – will have theĀ “secure” flag set. This ensures that they will only be sent to your website when … Read more “SSL Termination and Secure Cookies/requireSSL with ASP.NET Forms Authentication”

Categories
ASP.NET DevOps Information Security & Privacy Web Development

Get ASP.NET auth cookie using PowerShell (when using AntiForgeryToken)

At FundApps we run a regular SkipFish scan against our application as one of our tools for monitoring for security vulnerabilities. In order for it to test beyond our login page, we need to provide a valid .ASPXAUTH cookie (you’ve renamed it, right?) to the tool.

Because we want to prevent Cross-site request forgeries to our login pages, we’re using … Read more “Get ASP.NET auth cookie using PowerShell (when using AntiForgeryToken)”

Categories
ASP.NET Information Security & Privacy Web Development

Forms Authentication loginUrl ignored

I hit this issue a while back, and someone else just tripped up on it so thought it was worth posting here. If you’ve got loginUrl in your Forms Authentication configuration in web.config set, but your ASP.NET Forms or MVC app has suddenly started redirecting to ~/Account/Login for no apparent reason, then the new simpleMembership(ish) provider is getting in the … Read more “Forms Authentication loginUrl ignored”