view state MAC = false? and secure cookies over https

If you have questions about using mojoPortal, you can post them here.

You may want to first review our site administration documentation to see if your question is answered there.

This thread is closed to new posts. You must sign in to post in the forums.
4/10/2014 11:31:03 AM
Gravatar
Total Posts 115

view state MAC = false? and secure cookies over https

Hi Joe

I ran the https://asafaweb.com test again a mojo site, and one of the results said

View state MAC: Not tested

and explained this was probably because the viewstate is encrypted, but recommended checking that enableViewStateMac="true" in web.config. So I checked, and it's not. We have:

<pages validateRequest="false" enableViewStateMac="false" viewStateEncryptionMode="Auto" maxPageStateFieldLength="500" controlRenderingCompatibilityVersion="4.0" clientIDMode="AutoID">

So I read Troy's article explaining why this is bad:

http://www.troyhunt.com/2013/09/understanding-and-testing-for-view.html

but also warning that changing it may break stuff if there was a reason for switching it off in the first place. But since he and Microsoft apparently say there is never an acceptable reason for turning it off, I though I'd ask here... why is it off and is it safe to change the setting?

Another result warned that although our site is running as SSL the ASP.NET_SessionId cookie is not flagged as secure. Background info here:

http://www.troyhunt.com/2013/03/c-is-for-cookie-h-is-for-hacker.html

I see this can be changed with a simple web.config entry, but again... is there any reason not to change this? And if not, could this be set in code when mojo knows the site is running under SSL?

thanks

 

4/10/2014 11:53:38 AM
Gravatar
Total Posts 18444

Re: view state MAC = false? and secure cookies over https

Hi,

The Web.config file included in mojoPortal 2.4.0.2 has this:

 <pages validateRequest="false" viewStateEncryptionMode="Auto" maxPageStateFieldLength="500" controlRenderingCompatibilityVersion="4.0" clientIDMode="AutoID">

validateRequest is false because we do our own validation of inputs and setting it to true causes problems/errors when posting back html content from a wysiwyg editor.

enableViewStateMac may have been false in older versions of mojoPortal but it is left off in the latest version and the default is true so you can safely remove it or change it to true in your Web.config.

How to secure the authentication cookie is explained in our article Use SSL, but we cannot do it by default because it requires an SSL certificate and without one no-one could log in at all with it required. Most/many new sites won't have an SSL certificate right away at setup time but once you have one you should definitely secure the cookies.

Hope that helps,

Joe

4/10/2014 12:26:49 PM
Gravatar
Total Posts 115

Re: view state MAC = false? and secure cookies over https

Thanks  I have removed enableViewStateMac="false" with no ill effects and that test now passes.

But for the cookie protection, as well as the settings noted in the "Use SSL" page I also had to add this to system.web section:

    <system.web>
  <httpCookies httpOnlyCookies="true" requireSSL="true" lockItem="true" />

to ensure the cookie was flagged as secure, Without this the site did not pass that particular test. Do you have any thoughts on whether that is necessary and advisable in an SSL mojo site?

4/10/2014 12:55:56 PM
Gravatar
Total Posts 18444

Re: view state MAC = false? and secure cookies over https

The settings mentioned in the Use SSL article will secure the authentication cookie and the role cookie which are the only ones I know of with security implications.

Adding the <httpCookies element as you have just means that any other cookies issued for the web site would also be kept secure, but as far as I know any other cookies we are creating are only for cosmetic purposes such as the one to toggle the collapse state of the admin toolbar etc. I'll add that example to the document for good measure.

Best,

Joe

5/12/2014 1:27:26 PM
Gravatar
Total Posts 1188
Proud member of the mojoPortal team

Help support mojoPortal!
Add-on modules

Re: view state MAC = false? and secure cookies over https

Hi guys, I knew I'd seen the EnableViewStateMac setting mentioned a few times in the forum lately, and I just came across this MSDN blog post saying that EnableViewStateMac="true" is going to be enforced in ASP.NET 4.5.2 and forward, and explaining why that is.

This seemed like an appropriate thread to mention this change.

Jamie

5/20/2014 9:10:14 AM
Gravatar
Total Posts 115

Re: view state MAC = false? and secure cookies over https

I think we are seeing problems with enableViewStateMac="true" after all.

We have two sites where users have been unable to register or login with this setting, when using IE (we've not seen it in others). Here's an example of what we see in the System Log:

2014-05-20 13:23:37,205 ERROR 62.197.41.190 - en-GB - / - mojoPortal.Web.Global -  Referrer(https://mysite.co.uk/Secure/Register.aspx?returnurl=https://mysite.co.uk/cmsi-overview) useragent Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
System.Web.UI.ViewStateException: Invalid viewstate.
 Client IP: 62.197.41.190
 Port: 53431
 Referer: https://mysite.co.uk/Secure/Register.aspx?returnurl=https://mysite.co.uk/cmsi-overview
 Path: /Default.aspx
 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
 ViewState: /wEPDwULLTIxMTg4ODMyMDEPZBYCZg9kFgICAw8WAh4FY2xhc3MFFXBhZ2Vib2R5IHJlZ2lzdGVycGFnZRYCAgMPZBYOAhMPDxYCHgdWaXNpYmxlaGRkAh8PDxYCHwFoZGQCIw8PFgIfAWhkZAIlDw8WBh4IQ3NzQ2xhc3MFEGxlZnRzaWRlIGNtc3pvbmUeBF8hU0ICAh8BaGRkAicPDxYEHwIFOWFydC1sYXlvdXQtY2VsbCBhcnQtY29udGVudC13aWRlIGNlbnRlci1ub21hcmdpbnMgY21zem9uZR8DAgJkFgICBQ9kFgICBQ9kFgQCAw9kFgICAQ8WAh4EVGV4dAVWWW91IGFyZSBhbHJlYWR5IHNpZ25lZCBpbi4gSWYgeW91IHdpc2ggdG8gY3JlYXRlIGEgbmV3IGFjY291bnQgeW91IG11c3Qgc2lnbiBvdXQgZmlyc3RkAgUPZBYEAgEPZBYCAgEPPCsADQMAPCsADwEADxYWHhpEdXBsaWNhdGVFbWFpbEVycm9yTWVzc2FnZQU0U29ycnkgYSB1c2VyIGFscmVhZHkgZXhpc3RzIHdpdGggdGhhdCBlbWFpbCBhZGRyZXNzLh4ORWRpdFByb2ZpbGVVcmwFPGh0dHBzOi8vY21zaWRvY3VtZW50YXRpb24uZXNkbS5jby51ay9TZWN1cmUvVXNlclByb2ZpbGUuYXNweB4YRmluaXNoRGV...

We are running 2.4.0.3.

Is this something else in our web site config, or a mojo bug? We have had to set enableViewStateMac="false" for the moment, and I don't want to leave it like that.

 

5/20/2014 9:25:58 AM
Gravatar
Total Posts 18444

Re: view state MAC = false? and secure cookies over https

IE specific viewstate login errors only happen on web servers that are not fully updated by windows update or that have some problem with the installation of .NET framework or registration of .NET in IIS. See similar issue here. It is not a bug in mojoPortal and cannot be fixed by changes in mojoPortal.

5/20/2014 9:39:04 AM
Gravatar
Total Posts 115

Re: view state MAC = false? and secure cookies over https

OK - thanks - I'm seeing that there is a failed update for .Net 4.5 on the server... more investigation needed.

5/21/2014 7:02:42 AM
Gravatar
Total Posts 115

Re: view state MAC = false? and secure cookies over https

You were quite right Joe, we had problems on that web server. A security update for .Net 4.5 was failing to install, which we have fixed now (I'll spare the gory details, but we had a few hours of down time!) and now that everything is working again we are no longer getting the viewstate error.

You must sign in to post in the forums. This thread is closed to new posts.