No ratings

How to enable secure flag for cookies generated by K2 web applications




Symptoms



Cookies generated by K2 web applications do not have the secure flag set on them


Diagnoses



Using Google Chrome, the secure flag for cookies can be inspected through the Developer Tools > Resources (or Application) tab > Cookies


 


Resolution


 


Make the following changes:


 


1. Runtime and Designer web.config files:
- K2 blackpearlK2 smartforms Designerweb.config
- K2 blackpearlK2 smartforms Runtimeweb.config


 


a. Search for all "requireSSL" attributes and set them to true


 


b. Add the line below to the main <system.web> node:


<httpCookies httpOnlyCookies="true" requireSSL="true" lockItem="true" />


 


2. FormsSTS and WindowsSTS web.config:


- K2 blackpearlWebservicesIdentityStsFormsweb.config


- K2 blackpearlWebservicesIdentityStsWindowsweb.config


 


You’ll notice that there are a couple of <system.web> nodes in child nodes of the configuration node. Add a <system.web> node directly under the configuration node with the following:
<httpCookies httpOnlyCookies="true" requireSSL="true" lockItem="true" />


 


3. Additional Notes:


 


a. The AspxAutoDetectCookieSupport cookie contains no sensitive information and has no need to be set to secure.


 


b. For the Asp.net_SessionID cookie, this cookie is not directly used but if required to be marked as secure, the following may be added into the configuration section of the Viewflow’s web.config file (K2 blackpearlWebservicesViewFlowweb.config):


<system.web>
<httpCookies requireSSL = "true" />
</system.web>


 


4. Make the following changes to FormsSTS web.config


 


a. Locate the following section:


<authentication mode="Forms">
<forms loginUrl="~/Account/Login" defaultUrl="." slidingExpiration="true" timeout="9000" />
</authentication>


 


b. Change the section to look like this:


<authentication mode="Forms">
<forms loginUrl="~/Account/Login" defaultUrl="." slidingExpiration="true" requireSSL="true" timeout="9000" />
</authentication>


 


Note: The ASPXAUTH cookie is not set to secure because the requireSSL attribute is not defined in the above section in the formsSTS web.config.




Labels: (1)
Version history
Last update:
‎08-24-2021 09:42 AM
Updated by:
Contributors