I ran the https://asafaweb.com test again a mojo site, and one of the results said
View state MAC: Not tested
and explained this was probably because the viewstate is encrypted, but recommended checking that enableViewStateMac="true" in web.config. So I checked, and it's not. We have:
<pages validateRequest="false" enableViewStateMac="false" viewStateEncryptionMode="Auto" maxPageStateFieldLength="500" controlRenderingCompatibilityVersion="4.0" clientIDMode="AutoID">
So I read Troy's article explaining why this is bad:
but also warning that changing it may break stuff if there was a reason for switching it off in the first place. But since he and Microsoft apparently say there is never an acceptable reason for turning it off, I though I'd ask here... why is it off and is it safe to change the setting?
Another result warned that although our site is running as SSL the ASP.NET_SessionId cookie is not flagged as secure. Background info here:
I see this can be changed with a simple web.config entry, but again... is there any reason not to change this? And if not, could this be set in code when mojo knows the site is running under SSL?