Can someone spot if I'm missing anything else?
Following the direction from https://learn.microsoft.com/en-us/aspnet/samesite/system-web-samesite, this is the IIS web.config I got for Strict:
<system.web>
<anonymousIdentification cookieRequireSSL="true" />
<authentication>
<forms cookieSameSite="Strict" requireSSL="true" />
</authentication>
<sessionState cookieSameSite="Strict" />
<httpCookies sameSite="Strict" requireSSL="true" />
<roleManager cookieRequireSSL="true" />
<compilation targetFramework="4.7">
...
</compilation>
...
<httpRuntime targetFramework="4.7"/>
</system.web>
And the result (Sorry, I couldn't embed image directly. Got error "couldn't reach Imgur"):
samesite="Strict" image
For SameSite="None", I simply change all the "Strict" to "None":
<system.web>
<anonymousIdentification cookieRequireSSL="true" />
<authentication>
<forms cookieSameSite="None" requireSSL="true" />
</authentication>
<sessionState cookieSameSite="None" />
<httpCookies sameSite="None" requireSSL="true" />
<roleManager cookieRequireSSL="true" />
<compilation targetFramework="4.7">
...
</compilation>
...
<httpRuntime targetFramework="4.7"/>
</system.web>
But it is not being added to the cookies:
samesite="None" image
Thanks in advance. Appreciate your help.
There was a comment in another thread that I was thinking of trying as the last resort due to the trouble of installing any software on the machine. It doesn't exactly match my scenario as it didn't work even when he was using "Strict". However, it does fix my problem after installing URL Rewrite.
I tried with <httpCookies sameSite="Strict" /> in .Net 4.7.2 but it did not work for the Asp.Net Identity cookie. This rewrite rule did. – Augusto Barreto Nov 22 '18 at 22:30
#AugustoBarreto Asp.Net Identity ignore the .config settings. Solution is to implement your own Cookie Handler. Derive from System.IdentityModel.Services.CookieHandler and implement WriteInternal method. – Saftpresse99 Mar 18 '19 at 12:18
Thanks, Augusto!
Related
We are using azure webapps for sitecore infrastructure.
We need to apply security hardening on CD i.e. disable the sitecore client access. I had a look at security hardening guide which mentions about disabling annonymous access to sitecore/admin access.
https://doc.sitecore.net/sitecore_experience_platform/security_hardening/deny_anonymous_users_access_to_a_folder
However this is not possible in Azure web-apps as we don't have access to IIS.
What's the best way to resolve this?
Another option is to use request filters. See https://sitecorecommerce.wordpress.com/2015/11/19/block-access-to-sitecore-folder-for-content-delivery-with-requestfilters/
Here's the relevant config from the post:
<system.webServer>
<security xdt:Transform ="Replace" >
<requestFiltering>
<denyUrlSequences>
<add sequence ="/sitecore/" />
<add sequence ="/_Dev/" />
</denyUrlSequences>
</requestFiltering>
</security>
</system.webServer>
Additional references are available here: https://www.iis.net/configreference/system.webserver/security/requestfiltering
you can configure the security configurations in the web.config for your Sitecore CD server. E.g. Add this configuration under the root element at the end of your web.config.
<location path="App_Config">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="false" />
</authentication>
<authorization>
<add accessType="Deny" users="*" />
</authorization>
</security>
</system.webServer>
</location>
I am trying to migrate an ASP.NET application to MVC 5. The final piece to migrate is the membership provider. I am unable to configure the application to access the existing membership provider.
I started by looking at the documentation at MSDN's Sample Membership Provider Implementation. This leads me to enter the following in my Web.config:
<membership defaultProvider="MyMembershipProvider">
<providers>
<clear />
<add
name="MyMembershipProvider"
type="my.namespace.MyMembershipProvider, my.package.name"
connectionStringName="MyServiceContext"
enablePasswordRetrieval="false"
enablePasswordReset="true"
requiresQuestionAndAnswer="false"
requiresUniqueEmail="false"
writeExceptionsToEventLog="true"
/>
</providers>
</membership>
<roleManager defaultProvider="MyRoleProvider">
<providers>
<clear />
<add
name="MyRoleProvider"
type="my.namespace.MyRoleProvider, my.package.name"
/>
</providers>
</roleManager>
When I try to run the application, I get the following error:
The configuration section 'membership' cannot be read because it is missing a section declaration
What might I be doing wrong?
D'oh!
Turns out I had put the <membership> tag inside the top-level <configuration> section, but it belongs inside <system.web>:
<configuration>
... stuff ...
<system.web>
<membership ...>
... stuff from question description ...
</membership>
<roleManager ...>
... stuff from question description ...
</roleManager>
</system.web>
</configuration>
Changing the location in the file fixed the error.
I'm using Visual Studio 2013 on Windows 8. I have a web service built off ServiceStack. Everything works fine on my machine but when deploying it to AppHarbor I get a 500 error. I set customErrors mode="off" and I still get a 500 error with no stack trace.
According to AppHarbor's FAQ:
If enabling Custom Errors doesn't produce a stacktrace, then that's indicative of a configuration problem that prevents the ASP.NET runtime from initializing. You can debug such problems by deploying your app (either built locally or build output downloaded from AppHarbor) to a full IIS running on your local machine. You must configure the application pool to run in Integrated Pipeline mode to properly replicate AppHarbor's environment.
So I did this. I downloaded the build output from AppHarbor and ran it on my local IIS and it worked fine!
The AppHarbor Errors page says
No errors to display.
And a AppHarbor's log session feature displays no meaningful information:
2013-12-31T09:55:20.886+00:00 appharbor web.1 Created new worker (version 1388526921)
2013-12-31T09:55:24.864+00:00 appharbor web.1 Warming up (version 1388526921)
2013-12-31T09:55:32.134+00:00 appharbor web.1 Web worker root URL returned HTTP status code 500 (Internal Server Error) (version 1388526921)
Any suggestions?
--
for references, here's an outline of my web.config:
<?xml version="1.0" encoding="utf-8"?>
<!--
For more information on how to configure your ASP.NET application, please visit
http://go.microsoft.com/fwlink/?LinkId=169433
-->
<configuration>
<configSections>
<sectionGroup name="dotNetOpenAuth" type="DotNetOpenAuth.Configuration.DotNetOpenAuthSection, DotNetOpenAuth">
<section name="openid" type="DotNetOpenAuth.Configuration.OpenIdElement, DotNetOpenAuth" requirePermission="false" allowLocation="true" />
<section name="oauth" type="DotNetOpenAuth.Configuration.OAuthElement, DotNetOpenAuth" requirePermission="false" allowLocation="true" />
<section name="messaging" type="DotNetOpenAuth.Configuration.MessagingElement, DotNetOpenAuth" requirePermission="false" allowLocation="true" />
<section name="reporting" type="DotNetOpenAuth.Configuration.ReportingElement, DotNetOpenAuth" requirePermission="false" allowLocation="true" />
</sectionGroup>
</configSections>
<appSettings>
....
</appSettings>
<connectionStrings>
....
</connectionStrings>
<system.web>
<customErrors mode="Off">
</customErrors>
<httpHandlers>
<add path="*" type="ServiceStack.WebHost.Endpoints.ServiceStackHttpHandlerFactory, ServiceStack" verb="*" />
</httpHandlers>
<compilation debug="true" />
</system.web>
<system.webServer>
<validation validateIntegratedModeConfiguration="false" />
<handlers>
<add path="*" name="ServiceStack.Factory" type="ServiceStack.WebHost.Endpoints.ServiceStackHttpHandlerFactory, ServiceStack" verb="*" preCondition="integratedMode" resourceType="Unspecified" allowPathInfo="true" />
</handlers>
<directoryBrowse enabled="true" />
</system.webServer>
<runtime>
<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
<dependentAssembly>
<assemblyIdentity name="MongoDB.Driver" publicKeyToken="f686731cfb9cc103" culture="neutral" />
<bindingRedirect oldVersion="0.0.0.0-1.8.2.34" newVersion="1.8.2.34" />
</dependentAssembly>
<dependentAssembly>
<assemblyIdentity name="MongoDB.Bson" publicKeyToken="f686731cfb9cc103" culture="neutral" />
<bindingRedirect oldVersion="0.0.0.0-1.8.2.34" newVersion="1.8.2.34" />
</dependentAssembly>
</assemblyBinding>
<!-- This prevents the Windows Event Log from frequently logging that HMAC1 is being used (when the other party needs it). -->
<legacyHMACWarning enabled="0" />
</runtime>
<uri>
<!-- The uri section is necessary to turn on .NET 3.5 support for IDN (international domain names),
which is necessary for OpenID urls with unicode characters in the domain/host name.
It is also required to put the Uri class into RFC 3986 escaping mode, which OpenID and OAuth require. -->
<idn enabled="All" />
<iriParsing enabled="true" />
</uri>
<system.net>
<defaultProxy enabled="true" />
<settings>
</settings>
</system.net>
<dotNetOpenAuth>
<!-- This is an optional configuration section where aspects of dotnetopenauth can be customized. -->
<!-- For a complete set of configuration options see http://www.dotnetopenauth.net/developers/code-snippets/configuration-options/ -->
<openid>
<relyingParty>
<security requireSsl="false">
</security>
<behaviors>
<!-- The following OPTIONAL behavior allows RPs to use SREG only, but be compatible
with OPs that use Attribute Exchange (in various formats). -->
<add type="DotNetOpenAuth.OpenId.RelyingParty.Behaviors.AXFetchAsSregTransform, DotNetOpenAuth" />
</behaviors>
</relyingParty>
</openid>
<messaging>
<untrustedWebRequest>
<whitelistHosts>
</whitelistHosts>
</untrustedWebRequest>
</messaging>
<!-- Allow DotNetOpenAuth to publish usage statistics to library authors to improve the library. -->
<reporting enabled="true" />
</dotNetOpenAuth>
</configuration>
Just a wild guess: (not much to go on) but I have had similar problems when, for example, I was using the IIS rewrite module on my local machine (and it worked fine), but when I uploaded to a host that did not have that add-on module installed, I would get a 500 error with very little to go on - sounds similar. It drove me crazy trying to find it.
So make sure whatever options/addons that you might have and be using locally in IIS are also installed on the host.
Similarly, make sure you understand everything that is being referenced/used in your web.config - that is likely the problem area.
I'm trying to configure the default webpage for an IIS 7.5 website.
Request filtering is turned on. However .aspx pages are allowed, I've set default.aspx to be the default page for the website.
If I browse to localhost/default.aspx I get a webpage as expected.
IF I browse to localhost/ I get
HTTP Error 404.7 - Not Found
The request filtering module is configured to deny the file extension.
Any ideas?
It looks like the request filtering is actually filtering for a blank file name. Therefore you have to add this to the request filtering block in the web.config:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<security>
<requestFiltering>
<fileExtensions allowUnlisted="true">
<remove fileExtension="." />
<add fileExtension="." allowed="true" />
</fileExtensions>
</requestFiltering>
</security>
</system.webServer>
</configuration>
It's obvious now, but really I think its a massive gotcha.
More info: IIS 7 Not Serving Files - 404.7 Error
You can resolve by adding:
<requestFiltering>
<fileExtensions allowUnlisted="true">
<remove fileExtension="." />
<add fileExtension="." allowed="true" />
</fileExtensions>
</requestFiltering>
to your Web.Config file
You can resolve this by adding the file extension into the request filtering module of IIS.
Be sure to remove any PostBackURL="MyPage.aspx" from the button on the page. My guess is that when the postbackurl is included, IIS thinks its getting the page as a file. It rejects the .aspx file type by default. You can see this in the page error.
Bad: Creates a 404.7 (notice the PostBackURL)
<asp:FileUpload runat="server" ID="uplReplaceFile" ToolTip="Update this file" />
<asp:Button runat="server" PostBackUrl="MyPage.ascx" ID="bnHiddenFileUploadListener" OnClick="bnHiddenFileUploadListener_OnClick" />
Good: No error
<asp:FileUpload runat="server" ID="uplReplaceFile" ToolTip="Update this file" />
<asp:Button runat="server" ID="bnHiddenFileUploadListener" OnClick="bnHiddenFileUploadListener_OnClick" />
I've setup ELMAH on a asp.net mvc 3 site with the correct configuration detailed on another SO question here. Everything works great on my local virtual dev IIS server but when I deploy to an IIS server when I try to go to /Admin/Elmah.axd I get the standard IIS "404 - File or directory not found.". Is there an IIS setting I'm missing?
<location path="admin">
<system.web>
<httpHandlers>
<add verb="POST,GET,HEAD" path="elmah.axd" type="Elmah.ErrorLogPageFactory, Elmah" />
</httpHandlers>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
You have got to add the httphandler to the System.Webserver part of the web.config so that IIS routes it:
<system.webServer>
<handlers>
<add verb="POST,GET,HEAD" path="admin/elmah.axd" type="Elmah.ErrorLogPageFactory, Elmah" name="Elmah"/>
</handlers>
</system.webServer>
I fixed the problem by installing the asp.net mvc elmah controller. You can find it here.