Chat now with support
Chat mit Support

Identity Manager 8.2 - Web Application Configuration Guide

About this guide Configuring the Web Portal WebAuthn security keys Starling Two-Factor Authentication Application Governance Module Configuring password questions Password Reset Portal Recommendations for secure operation of web applications

Setting the "secure" attribute for ASP.NET session cookies

To prevent cookies being read by unauthorized persons, you can set the so called "secure" attribute for your ASP.NET session cookies. This means that cookies are only transferred over secure SSL connections.

To set the "secure" attribute for ASP.NET session cookies

  1. Open the configuration file web.config for the chosen web application.

  2. In the <configuration> section, enter the following code snippet:

    <system.web>
        <httpCookies requireSSL="true"/>
    </system.web>
  3. Save the file.

Related topics

Disabling Windows IIS 8.3 short names

The URL parser in Microsoft Internet Information Services (IIS) makes it possible for remote attackers to reveal file and folder names of web applications (that should not be accessible) by using IIS 8.3 short names.

Use of this weak point can lead to files with sensitive data, such as login data, configuration files, maintenance scripts and other data, being passed on.

To prevent this, you can stop short names in Windows IIS 8.3 from being created.

To disable creation of Windows IIS 8.3 short names

  1. On the system the web application is installed on, create the following registry entry:

    • Path: HKLM\SYSTEM\CurrentControlSet\Control\FileSystem

    • Name: NtfsDisable8dot3NameCreation

    • Value: 1

  2. Reinstall the web application.

Detailed information about this topic

Removing the HTTP response header in Windows IIS

Attackers can obtain a lot of information about your servers and network by looking at the response header your server returns.

To give attackers a little information as possible, you can remove the HTTP response header in Windows IIS.

To remove the HTTP response header in Windows IIS

Creating X-Frame-Options HTTP response header

Attackers can create their own website and use it to load the contents of your website within an iframe. This can result in a clickjacking attack, whereby the attacker targets user input or tricks the user into performing undesired actions within the fake application.

To prevent this, you can create an X-Frame-Option HTTP response header. This stops site content from being embedded into other websites.

To create an X-Frame-Option HTTP response header

  1. Open the configuration file web.config for the chosen web application.

  2. In the <configuration> section, enter the following code snippet:

    <httpProtocol>
        <customHeaders>
            <add name="X-Frame-Options" value="SAMEORIGIN" />
        </customHeaders>
    </httpProtocol>
  3. Save the file.

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen