Symptoms
Cookies generated by K2 web applications do not have the secure flag set on them
Diagnoses
Using Google Chrome, the secure flag for cookies can be inspected through the Developer Tools > Resources (or Application) tab > Cookies
Resolution
Make the following changes:
1. Runtime and Designer web.config files:
- K2 blackpearlK2 smartforms Designerweb.config
- K2 blackpearlK2 smartforms Runtimeweb.config
a. Search for all "requireSSL" attributes and set them to true
b. Add the line below to the main <system.web> node:
<httpCookies httpOnlyCookies="true" requireSSL="true" lockItem="true" />
2. FormsSTS and WindowsSTS web.config:
- K2 blackpearlWebservicesIdentityStsFormsweb.config
- K2 blackpearlWebservicesIdentityStsWindowsweb.config
You’ll notice that there are a couple of <system.web> nodes in child nodes of the configuration node. Add a <system.web> node directly under the configuration node with the following:
<httpCookies httpOnlyCookies="true" requireSSL="true" lockItem="true" />
3. Additional Notes:
a. The AspxAutoDetectCookieSupport cookie contains no sensitive information and has no need to be set to secure.
b. For the Asp.net_SessionID cookie, this cookie is not directly used but if required to be marked as secure, the following may be added into the configuration section of the Viewflow’s web.config file (K2 blackpearlWebservicesViewFlowweb.config):
<system.web>
<httpCookies requireSSL = "true" />
</system.web>
4. Make the following changes to FormsSTS web.config
a. Locate the following section:
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" defaultUrl="." slidingExpiration="true" timeout="9000" />
</authentication>
b. Change the section to look like this:
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" defaultUrl="." slidingExpiration="true" requireSSL="true" timeout="9000" />
</authentication>
Note: The ASPXAUTH cookie is not set to secure because the requireSSL attribute is not defined in the above section in the formsSTS web.config.
