Gertting error missing Secure Flag From SSL Cookie in mojo portal

This forum is only for questions or discussions about working with the mojoPortal source code in Visual Studio, obtaining the source code from the repository, developing custom features, etc. If your question is not along these lines this is not the right forum. Please try to post your question in the appropriate forum.

Please do not post questions about design, CSS, or skinning here. Use the Help With Skins Forum for those questions.

This forum is for discussing mojoPortal development

This forum is only for questions or discussions about working with the mojoPortal source code in Visual Studio, obtaining the source code from the repository, developing custom features, etc. If your question is not along these lines this is not the right forum. Please try to post your question in the appropriate forum.

You can monitor commits to the repository from this page. We also recommend developers to subscribe to email notifications in the developer forum as occasionally important things are announced.

Before posting questions here you might want to review the developer documentation.

Do not post questions about design, CSS, or skinning here. Use the Help With Skins Forum for those questions.
This thread is closed to new posts. You must sign in to post in the forums.
1/22/2014 6:53:00 AM
prafullpokale
Gravatar
Total Posts 18
View Posts

Gertting error missing Secure Flag From SSL Cookie in mojo portal

HI Joe,

I am getting one error "missing Secure Flag From SSL Cookie" while PCI compliance check.

Scenario: I have one site in mojo portal, some pages using https but some are not.

when i put requireSSL = true in web.config. and tried to login the site i am getting pagenotfound error.

I got one following solution in google,

Solution -
For each cookie sent over SSL in your website,
add the "Secure" flag to the cookie. For example:
SetCookie:
<name>=<value>[; <MaxAge>=<
age>]
[; expires=<date>][; domain=<domain_name>]
[; path=<some_path>][; secure][; HttpOnly]

<forms name=".mojochangeme" protection="All" timeout="129600" path="/" cookieless="UseCookies" requireSSL="true"/>

then I tried to set requireSSL = true in web.config but not working.

So, My question is how to set  requireSSL="true" in mojo portal for secure flag cookies and another is can i set https for individual pages in mojo portal.

Thanks in advance for your help.

 

Prafull

 

 

1/22/2014 9:05:03 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Gertting error missing Secure Flag From SSL Cookie in mojo portal

Are you using the standard mojoportal login page or is there any custom code for authentication? How are you logging in?

Have you forked mojoportal code in any way?

Did you log out and login again to get a new cookie after changing the requireSSL attribute on <forms?

1/22/2014 11:10:09 PM
prafullpokale
Gravatar
Total Posts 18
View Posts

Re: Gertting error missing Secure Flag From SSL Cookie in mojo portal

Yes, I am using standard login page. (i.e /secure/login.aspx)

requireSSL - Using this attribute only for cookie encryption.

If any option to secure cookies in mojoPortal?

 

Thanks

Prafull

 

1/23/2014 6:23:50 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Gertting error missing Secure Flag From SSL Cookie in mojo portal

you did not answer all of my questions

requireSSL on the forms element will make the server not accept any cookie unless using a secure ssl connection, it will also flag new cookies as secure so the browser does not pass it unless using a secure ssl connection. The cookie must be issued after changing this to true, it will not change the flag on an existing cookie that has already been issued, so the browser may still pass that cookie but the server would not accept it. To get a new cookie you would have to logout and login again after changing requireSSL to true.

This is a feature of ASP.NET forms authentication it is not specific to mojoPortal. See also the article Use SSL.

1/23/2014 2:22:56 PM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Gertting error missing Secure Flag From SSL Cookie in mojo portal

Note also that it is only the authentication cookie and the role cookie that we are concerned about for security purposes, there may be other cookies used for cosmetic purposes that are set without the secure flag. For example there is a cookie that keeps the collapse or expand state of the admin toolbar which is only visible to people with edit roles. That cookie is set from javascript and has no secure flag and we don't care about it from a security perspective, as opposed to the authentication and role cookies which are set by the server and should have the secure flag if requireSSL is true on the forms element when the cookie is set.

You must sign in to post in the forums. This thread is closed to new posts.