Chat now with support
Chat with Support

Identity Manager 8.2.1 - Web Designer Web Application Configuration Guide

About this guide Configuring the Web Portal WebAuthn security keys Multi-factor authentication Configuring the Application Governance Module Configuring the Password Reset Portal Recommendations for secure operation of web applications

Setting the "HttpOnly" attribute for ASP.NET session cookies

To prevent cookies being manipulated by JavaScript and to reduce the risk of cross-site scripting attacks and cookie theft, you can set the so called "HttpOnly" attribute for your ASP.NET session cookies. This means that cookies can no longer be used by client-side scripts.

To set the "HttpOnly" attribute for ASP.NET session cookies

  1. Open the configuration file web.config for the chosen web application.

  2. In the <configuration> section, enter the following code snippet:

    <system.web>
    <httpCookies httpOnlyCookies="true"/>
</system.web>

  3. Save the file.

Related topics

Setting the "same-site" attribute for ASP.NET session cookies

To prevent cross-site request forgery (CSRF), you can set the same-site attribute for your ASP.NET session cookies.

To set the same site attribute for all .NET versions from 4.7.2.

  1. Open the configuration file web.config for the chosen web application.

  2. Enter the following code snippet in the <configuration> section:

    <system.web>
    <httpCookies sameSite="Strict" />
</system.web>

  3. Save the file.

Related topics

Setting the "secure" attribute for ASP.NET session cookies

To prevent cookies being read by unauthorized persons, you can set the so called "secure" attribute for your ASP.NET session cookies. This means that cookies are only transferred over secure SSL connections.

To set the "secure" attribute for ASP.NET session cookies

  1. Open the configuration file web.config for the chosen web application.

  2. In the <configuration> section, enter the following code snippet:

    <system.web>
    <httpCookies requireSSL="true"/>
</system.web>

  3. Save the file.

Related topics

Disabling Windows IIS 8.3 short names

The URL parser in Microsoft Internet Information Services (IIS) makes it possible for remote attackers to reveal file and folder names of web applications (that should not be accessible) by using IIS 8.3 short names.

Use of this weak point can lead to files with sensitive data, such as login data, configuration files, maintenance scripts and other data, being passed on.

To prevent this, you can stop short names in Windows IIS 8.3 from being created.

To disable creation of Windows IIS 8.3 short names

  1. On the system the web application is installed on, create the following registry entry:

    • Path: HKLM\SYSTEM\CurrentControlSet\Control\FileSystem

    • Name: NtfsDisable8dot3NameCreation

    • Value: 1

  2. Reinstall the web application.

Detailed information about this topic
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating