+1-888-365-2779
Try Now
More in this section

Forums / Set-up & Installation / Securing Sitefinity Auth cookie

Securing Sitefinity Auth cookie

6 posts, 0 answered
  1. Zubair
    Zubair avatar
    142 posts
    Registered:
    26 Dec 2007
    16 Mar 2011
    Link to this post
    Hi,

    Our client is building a secure financial portal with us and he wants Sitefinity auth cookie to be secured like the following. Can you please tell us how to do that or is that even possible? Thanks

     

    HttpCookie cookie = new HttpCookie(‘name’);
      
    cookie.Secure = True;
      
    cookie.Value = ‘Joe’;

  2. Dido
    Dido avatar
    149 posts
    Registered:
    24 Sep 2012
    18 Mar 2011
    Link to this post
    Hello Zubair,

    There are two kinds of state persistence in HTTP: server and "client", or "normal" cookies.
    HttpCookie is stored on the client's browser and is part of the HTTP protocol, thus insecure in its nature.
    In order to make cookies secure, you should buy an SSL cetificate and force all related pages to be loaded in HTTPS via SSL

    As the MSDN documentation says for HttpCookie.Secure:
    "Gets or sets a value indicating whether to transmit the cookie using Secure Sockets Layer (SSL)--that is, over HTTPS only."
    Setting this to true (e.g. accessing the cookie only if it is transferred over a secure channel), is vital.

    You should make sure that this does NOT work
    http://mysite/mysecurepage.aspx
    and that only this works
    https://mysite/mysecurepage.aspx

    In summary: making a cookie secure means encrypting the whole connection. To do this, you will need to buy an SSL license that works with at least 128-bit encryption (IE supports only that). If it is less (e.g. 64 up 256), it will be vulnerable to brute force attacks.

    Best wishes,
    Dido
    the Telerik team
  3. Zubair
    Zubair avatar
    142 posts
    Registered:
    26 Dec 2007
    18 Mar 2011
    Link to this post
    Hi

    Thanks for that but my question is how to serve the sitefinity login page over SSL/https while the rest of my website remains on http for all the sitefinity pages I know there is a setting Require SSL in page properties, how to do this for the sitefinity login static page?

  4. Ivan Dimitrov
    Ivan Dimitrov avatar
    16072 posts
    Registered:
    09 Dec 2016
    18 Mar 2011
    Link to this post
    Hi Zubair,

    You can switch the port programmatically with a custom HttpHandler

    HttpContext context = HttpContext.Current;
    context.Response.Redirect(context.Request.Url.AbsoluteUri.Replace("http://", "https://"), true);

    Kind regards,
    Ivan Dimitrov
    the Telerik team
  5. Zubair
    Zubair avatar
    142 posts
    Registered:
    26 Dec 2007
    18 Mar 2011
    Link to this post
    Thanks and offcourse you mean detect if its the Sitefinity login page else ignore?
  6. Ivan Dimitrov
    Ivan Dimitrov avatar
    16072 posts
    Registered:
    09 Dec 2016
    18 Mar 2011
    Link to this post
    Hi Zubair,

    Yes in the handler you can detect the current page from the context.

    All the best,
    Ivan Dimitrov
    the Telerik team
Register for webinar
6 posts, 0 answered