In the server response, I am adding the "secure" flag to all cookies by placing the following line within the web.config:
<system.web>
<httpCookies requireSSL="true" />
</system.web>
This seems to work since the ASP.NET_SessionId cookie shows the "secure" flag in the response:
However, when I perform an action on the page and check the Dev Tools again, I noticed that the very same cookie no longer has the "secure" flag in the client request:
I am using Internet Explorer 11 developer tools to view the Network.
Should the session cookie contain the "secure" flag in the client's request? If not, are there any security implications of having an "insecure" request cookie?
After spending some time looking into it, I did not find any code in my application that was altering the cookies or the "secure" flag on the cookies. Any information on the matter will be appreciated.
Related
Net MVC 4.7.2 application. This application is using Azure Identity platform for user authentication. When user is on company's network and sign in to app, as it seem the session doesn't look to end. Probably because of Sigle Sign On seamless authentication. So that is okay when user user in company's network and session go for long even when user logout or stay idle.
The question is what if user is not in company's network and sign in to the application, I want to figure out the exact minutes that for how long the session/or authentication cookies are set to expire when web app is in idle state?
The IdleTimeout determines how much time the session is idle before the contents in cache are abandoned.
The IdleTimeout doesn't depend on the cookie expiration.
The expiration of session cookies varies browser to browser.
The Timeout property can be set in Web.config file for the application like below:
<configuration>
<system.web>
<sessionState
mode="InProc"
cookieless="true"
timeout="30" />
</system.web>
</configuration>
Please note that, the session/or authentication cookies are set to expire when web app is in idle state is 20 minutes by default as mentioned in this MsDoc like below:
The IdleTimeout can be set up to 525,600 minutes (1 year) and it applies to Net MVC 4.7.2 version too.
The default frequency for user-sign is 90 days.
You can setup session cookie in Azure Active directory, please refer this MsDoc.
I have a provider hosted app which uses SharePoint Context filter for authenticating users. I'm storing the context token generated in the first request in a session variable and using it in subsequent calls.
When I click on the app in site contents and get redirected to the provider hosted app, everything is working fine.
But when I navigate to a page in SharePoint Online which has a Client Webpart hosted in the provider hosted app, session does not work.
On inspecting the request headers sent by the App webpart and the app when it is opened directly, I found that ASP.NET_SessionId cookie is not getting stored in the app webpart but when the provider hosted app is navigated directly.
Also I found that SPCacheKey cookie is being stored in both cases only Session cookie is not getting stored when loading via app web part.
I tested this in Chrome as well as IE and both are giving same output.
I tried modifying the web.config as per this link
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="p3p" value="CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT""/>
</customHeaders>
</httpProtocol>
</system.webServer>
But it didnt solve the issue. Because of the session not getting stored, Every ajax call in my provider hosted app is getting redirected to appredirect.aspx which is throwing
Access to xmlhttprequest at https://tenant.sharepoint.com from origin https://providerhosted.domain blocked by cors policy no access
Why is the ASP.NET Session Id cookie not getting stored when loading via app webpart?
Please help
After searching solution for this problem using many different keywords in google, finally found a solution. It looks like this is an Iframe issue. As the app web part loads inside an iframe, the session cookies are not stored inside iframe.
As per this answer and this link, adding the cookieSameSite=None attribute in the sessionState of web.config fixed the issue.
<sessionState cookieSameSite="None" cookieless="false" timeout="360">
</sessionState>
As usual, this was caused by an update release by MS which changed the default value of cookieSameSite attribute of Session cookies from None to Lax
I have a website freshly deployed on the internal network of a client. I can test it only by remote desktop on a Windows Server 2012.
The website performs SAML authentication: the browser first receives a session cookie from the website, then is redirected to the SAML identity provider, and comes back to the website with the SAML response, where it also sends back the session cookie. This works fine with Chrome, but for some reason IE11 won't send back the session cookie, which prevents the server from accepting the SAML authentication.
I have no idea why IE11 fails to send the session cookie. I have checked in the Network pane in debug tools, and I do get the cookie (though I can't confirm IE is actually storing it) :
Set-Cookie ASP.NET_SessionId=yzk4rdznlg534so2xuxqmuv4; path=/; HttpOnly
Then I am redirected to the identity provider, but when coming back to the website, it doesn't send the cookie. The cookie is HTTP only so I can't check in the console if it is stored or not. I have used the instructions posted here to see stored cookies, and I can't see a cookie for my website at any time (though redirections happen fast, so it could possibly be added and then removed before I have a chance to see it).
I also believe I have explored all possible security and privacy settings to allow everything, to no avail.
In case it's important, the site URL has no dot (it's https://mmr-pp_sef/)
Any idea how I could troubleshoot what is (or isn't) happening?
Well, turns out that it IS related to the URL used (should have checked myself sooner instead of just pointing out that the URL was weird in my question).
Apparently, IE will not store cookies if there is an underscore _ in the host name. This can be verified by modifying your "hosts" file:
Open the file C:\Windows\System32\drivers\etc\hosts (you'll need admin rights)
Add this line at the end and save the file:
127.0.0.1 test_site
Enter the URL http://test_site in your browser (this assumes your web server listens on 127.0.0.1)
Observe that IE won't store any cookie.
The only workaround I have at this time is to use another host name, that does not contain an underscore, such as test-site.
I am trying to setup FormsAuth for my MVC app. When I browse to the login action (which has the AllowAnonymous attribute, I get a 401.2 error. My web.config has:
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" timeout="2880" />
</authentication>
<authorization>
<allow users="*" />
</authorization>
My IIS authentication settings for the web app have Forms Auth and Anon Auth enabled the others (including Windows Auth) are disabled.
There are no web.configs in any parent directories overriding the settings.
As per the help screen, I have tried all the suggestions:
Causes
No authentication protocol (including anonymous) is selected in IIS. - Forms and Anon are enabled
Only integrated authentication is enabled, and a client browser was used that does not support integrated authentication. - Not the case
Integrated authentication is enabled and the request was sent through a proxy that changed the authentication headers before they reach the Web server. - Not the case
The Web server is not configured for anonymous access and a required authorization header was not received. - Anon is enabled
The "configuration/system.webServer/authorization" configuration section may be explicitly denying the user access. - Set to allow all
Things To Try
Verify the authentication setting for the resource and then try requesting the resource using that authentication method. - Done
Verify that the client browser supports Integrated authentication. - Using Chrome, other sites work
Verify that the request is not going through a proxy when Integrated authentication is used. - No proxy
Verify that the user is not explicitly denied access in the "configuration/system.webServer/authorization" configuration section. - Verified
Create a tracing rule to track failed requests for this HTTP status code. For more information about creating a tracing rule for failed requests, click here. - When I run this I get "AUTH_INVALID_ANON_ACCOUNT" error: Logon failure: unknown user name or bad password. (0x8007052e).
Any ideas? I've googled this for quite a bit, but canno't find a solution.
I've also tried changing the app pool to an app pool of a web app that I know works (with the same settings). Still failed.
It works fine with IIS Express
I'm trying to set the session cookie secure flag to true. I added the following to my environments/production.rb
ActionController::Base.session_options[:secure] = true
In the production mode I don't see the set-cookie header in the server response (I'm using the Tamper Data Firefox tool to view the traffic). I tried removing all cookies, manually setting the domain including the child domain(since domain is shared among many applications, the appache server forwards the requests to the right application and thus the request is always received by the application server as if it's coming from localhost).
I also tried to test it in development mode, I assume the server should at least set the cookie even if the request is over http but the browser won't send the cookie over http but again the server does not send the set-cookie header. The session works just fine if I don't set the secure flag. Am I missing something here?
I found out that in my version of actionpack, session cookies are only set over ssl.
Although by definition, the server can set a secure cookie when the request is over http but the browser will not send it with further requests. In my application I don't enforce ssl on the app level but on the appache level instead so the initial request made by rails is over http and the cookie is not set.