Chat now with support
Chat with Support

Identity Manager 9.2 - Web Designer Web Application Configuration Guide

About this guide Configuring the Web Portal Configuring self-registration of new users Configuring the Password Reset Portal WebAuthn security keys Configuring the Application Governance Module Recommendations for secure operation of web applications

Setting the "same-site" attribute for ASP.NET session cookies

To prevent cross-site request forgery (CSRF), you can set the same-site attribute for your ASP.NET session cookies.

To set the same-site attribute for all .NET versions from 4.8.

  1. Open the configuration file web.config for the chosen web application.

  2. Enter the following code snippet in the <configuration> section:

    <system.web>
        <httpCookies sameSite="Strict" />
    </system.web>
  3. Save the file.

Related topics

Setting the "secure" attribute for ASP.NET session cookies

To prevent cookies being read by unauthorized persons, you can set the so called "secure" attribute for your ASP.NET session cookies. This means that cookies are only transferred over secure SSL connections.

To set the "secure" attribute for ASP.NET session cookies

  1. Open the configuration file web.config for the chosen web application.

  2. In the <configuration> section, enter the following code snippet:

    <system.web>
        <httpCookies requireSSL="true"/>
    </system.web>
  3. Save the file.

Related topics

Disabling Windows IIS 8.3 short names

The URL parser in Microsoft Internet Information Services (IIS) makes it possible for remote attackers to reveal file and folder names of web applications (that should not be accessible) by using IIS 8.3 short names.

Use of this weak point can lead to files with sensitive data, such as login data, configuration files, maintenance scripts and other data, being passed on.

To prevent this, you can stop short names in Windows IIS 8.3 from being created.

To disable creation of Windows IIS 8.3 short names

  1. On the system the web application is installed on, create the following registry entry:

    • Path: HKLM\SYSTEM\CurrentControlSet\Control\FileSystem

    • Name: NtfsDisable8dot3NameCreation

    • Value: 1

  2. Reinstall the web application.

Detailed information about this topic

Removing the HTTP response header in Windows IIS

Attackers can obtain a lot of information about your servers and network by looking at the response header your server returns.

To give attackers a little information as possible, you can remove the HTTP response header in Windows IIS.

To remove the HTTP response header in Windows IIS

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating