I have tried samesite cookies in IIS. But no luck. how can I do that using in IIS ? BTW , I am using windows server 2012 R2.
config :
<sessionState timeout="60" cookieSameSite="None" />
<httpCookies sameSite="None"/>
This is often managed within the application's startup and initialization.
One way to do this in IIS, rather than your application, is to add an outbound rewrite rule to append SameSite=None to cookies sent in the response.
Example Web.config:
<system.webServer>
<rewrite>
<outboundRules>
<clear />
<rule name="Add SameSite" preCondition="No SameSite">
<match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
<action type="Rewrite" value="{R:0}; SameSite=None" />
</rule>
<preConditions>
<preCondition name="No SameSite">
<add input="{RESPONSE_Set_Cookie}" pattern="." />
<add input="{RESPONSE_Set_Cookie}" pattern="; SameSite=None" negate="true" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>
</system.webServer>
According to MSFT documents:
The behavior of None was modified by updates described in KB article 4531182 and KB article 4524421.
Without these updates, the None value does not emit the SameSite cookie header
I suggest you could firstly install the KB article 4531182 and KB article 4524421 update and then it will work well.
More details, you could refer to below article:
https://learn.microsoft.com/en-us/dotnet/api/system.web.samesitemode?view=netframework-4.8#remarks
Related
I am new to using IIS and the reverse proxy feature (ARR V3.0).
I have everything working correctly until a backend SSO authentication is enabled with the application.
The feature works from the IIS reverse proxy server if I go straight to the back end application but it fails when you try to authenticate thru the reverse proxy from the outside.
Flow is something like this when SSO is disabled:
Public User --> Public URL --> IIS/ARR --> Authentication --> Application Is Presented to user for login. Everything works. Again this is a single web server in the back end used for logon.
Flow is something like this when SSO is enabled:
Public User --> Public URL --> IIS/ARR --> Authentication --> Application Server --> SSO Application server --> IIS/ARR presents the back end (internal) SSO server name with DNS error. This is where the second server handling SSO is thrown into the mix.
The error displayed in a browser shows the internal server name in URL
(https://em004tcss066.xxxx.xxxx.xxx:8443/) with a DNS error (expected since the external DNS records do not contain the internal server names. I do see the redirectToSSO message above the address bar as it does that in the background but eventually times out with DNS error.
Current rules:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<clear />
<rule name="ReverseProxyInboundRule1" stopProcessing="false">
<match url="^(.*)$" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
<serverVariables>
<set name="HTTP_REFERER" value="{HTTP_ACCEPT_ENCODING}" />
<set name="HTTP_X_ORIGINAL_ACCEPT_ENCODING" value="{HTTP_ACCEPT_ENCODING}" />
<set name="HTTP_ACCEPT_ENCODING" value="" />
</serverVariables>
<action type="Rewrite" url="https://em004tcweb062.xxx.xxxxxxxxx.xxx:3000/{R:1}" logRewrittenUrl="true" />
</rule>
</rules>
<outboundRules>
<rule name="ReverseProxyOutboundRule1" preCondition="ResponseIsHtml1">
<match filterByTags="A, Base, Form, Img" pattern="^http(s)?://em004tcweb062.xxx.xxxxxxxxx.xxx:3000/(.*)" />
<action type="Rewrite" value="https{R:1}://xxxxxteamcentertraining.xxx.xxxxxxxxx.xxx/{R:2}" />
</rule>
<rule name="RestoreAcceptEncoding" preCondition="NeedsRestoringAcceptEncoding">
<match serverVariable="HTTP_ACCEPT_ENCODING" pattern="^(.*)" />
<action type="Rewrite" value="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}" />
</rule>
<preConditions>
<preCondition name="ResponseIsHtml1">
<add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" />
</preCondition>
<preCondition name="NeedsRestoringAcceptEncoding">
<add input="{RESPONSE_CONTENT_TYPE}" pattern=".+" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>
<defaultDocument enabled="true" />
</system.webServer>
</configuration>
I know this is an issue with ARR, but I am not sure what rule needs added/modified to resolve it?
Our security scans are showing these vulnerabilities in IIS. I updated web.cfg and added this section and resetIIS, however the issue still exists. Any ideas how to resolve this?
<location path="Orion/Admin/Accounts/EditAccount.aspx">
<system.web>
<httpRuntime maxRequestLength="16096" executionTimeout="600" />
</system.web>
<system.web>
<httpCookies httpOnlyCookies="true" requireSSL="true" />
</system.web>
</location>
3.2.1. Missing HttpOnly Flag From Cookie (http-cookie-http-only-flag)
3.2.2. Missing Secure Flag From SSL Cookie (http-cookie-secure-flag)
You can try the following methods:
1.Enable HttpOnly Flag in IIS
Edit the web.config file of your web application and add the following:
<system.web>
<httpCookies httpOnlyCookies="true" requireSSL="true" />
</system.web>
2.Enable Secure Flag in IIS
To enable secure flag in IIS, it is better to use URL Rewrite and add the following to your web.config file:
<system.webServer>
<rewrite>
<outboundRules>
<rule name="Use only secure cookies" preCondition="Unsecured cookie">
<match serverVariable="RESPONSE_SET_COOKIE" pattern=".*" negate="false" />
<action type="Rewrite" value="{R:0}; secure" />
</rule>
<preConditions>
<preCondition name="Unsecured cookie">
<add input="{RESPONSE_SET_COOKIE}" pattern="." />
<add input="{RESPONSE_SET_COOKIE}" pattern="; secure" negate="true" />
</preCondition>
</preConditions>
</outboundRules>
The web service environment is operated by Windows 2012 server, IIS8.5, Classic asp.
this is problem about Chrome 80ver SameSite Issue.
On our site, we make payments by calling iframes and receive the results by returnurl.
However, there is a problem in returnurl that changes the existing session value (sometimes it is maintained and sometimes it is changed).
I tried to
First. Add header in source code as follows
Response.AddHeader "Set-Cookie", "SameSite=None; Secur; path=/; HttpOnly"
Second. Add web.config
<system.web>
<httpCookies httpOnlyCookies="true" requireSSL="true" sameSite="None" />
<sessionState cookieSameSite="None" />
Third. Add web.config rewrite
<rewrite>
<outboundRules>
<rule name="AddSameSiteCookieFlag">
<match serverVariable="RESPONSE_Set-Cookie" pattern="^(.*SessionID)(SameSite=Lax)" />
<action type="Rewrite" value="{R:1};SameSite=None" />
</rule>
</outboundRules>
Is there a way to set the samesite setting to none in IIS8.5?
I'm running the exact configuration mentioned in this question and found the following web.config rewrite rules to work as a baseline solution:
<rewrite>
<outboundRules>
<rule name="Add HttpOnly" preCondition="No HttpOnly">
<match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
<action type="Rewrite" value="{R:0}; HttpOnly" />
<conditions>
</conditions>
</rule>
<rule name="Add SameSite" preCondition="No SameSite">
<match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
<action type="Rewrite" value="{R:0}; SameSite=None; Secure" />
</rule>
<preConditions>
<preCondition name="No HttpOnly">
<add input="{RESPONSE_Set_Cookie}" pattern="." />
<add input="{RESPONSE_Set_Cookie}" pattern="; HttpOnly" negate="true" />
</preCondition>
<preCondition name="No SameSite">
<add input="{RESPONSE_Set_Cookie}" pattern="." />
<add input="{RESPONSE_Set_Cookie}" pattern="; SameSite=None; Secure" negate="true" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>
A application which contains a web interface is running on a Windows Server 2019 system with IIS 10 and ARR installed. When navigating to the webpage using IP:Port the webpage loads correctly. When navigating to the webpage using domain.com the website has some content that shows a 401 error in the console, and page does not load correctly.
When navigating to the domain the request passes through IIS and URL Rewrite. It would seem that there is some issue in regards to passing the information through the proxy.
This is the code for the rewrite rule in IIS:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="ReverseProxyInboundRule1" stopProcessing="true">
<match url="(.*)" />
<action type="Rewrite" url="http://localhost:33337/{R:1}" />
<serverVariables>
<set name="HTTP_ACCEPT_ENCODING" value="" />
</serverVariables>
</rule>
</rules>
<outboundRules>
<rule name="ReverseProxyOutboundRule1" preCondition="ResponseIsHtml1">
<match filterByTags="A, Form, Img" pattern="^http(s)?://localhost:33337\/?(.*)" />
<action type="Rewrite" value="http{R:1}://sub.domain.com/{R:2}" />
</rule>
<preConditions>
<preCondition name="ResponseIsHtml1">
<add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>
<urlCompression doStaticCompression="false" doDynamicCompression="true" dynamicCompressionBeforeCache="false" />
</system.webServer>
</configuration>
This is the GitHub Issue link for this specific issue:
https://github.com/qbittorrent/qBittorrent/issues/11207
I reproduced the issue.
Apparently qBittorrent expecting clients to send same-origin Referer headers. In your case it must be localhost:33337 but obviously sub.domain.com is being sent.
This security measure is activated by Enable Cross-Site Request Forgery (CSRF) protection setting that can be reached via qBitorrent > Options > Web UI > Security.
You have two options for the solution.
Disable the setting.
Rewrite the Referer header with an appropriate value.
If you want to rewrite the header, after allowing server variables HTTP_REFERER and HTTP_ORIGIN as you did for HTTP_ACCEPT_ENCODING, you should change your rules as follows.
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="ReverseProxyInboundRule1" stopProcessing="true">
<match url="(.*)" />
<action type="Rewrite" url="http://localhost:33337/{R:1}" />
<!-- New Optional Condition -->
<conditions logicalGrouping="MatchAny">
<add input="{HTTP_REFERER}" pattern="^(?:https?://[^/]*/(.*))?$" />
</conditions>
<serverVariables>
<set name="HTTP_ACCEPT_ENCODING" value="" />
<!-- New Header Rewrite -->
<set name="HTTP_REFERER" value="http://localhost:33337/{C:1}" />
<!-- Remove Origin Header -->
<set name="HTTP_ORIGIN" value="" />
</serverVariables>
</rule>
</rules>
<outboundRules>
<rule name="ReverseProxyOutboundRule1" preCondition="ResponseIsHtml1">
<match filterByTags="A, Form, Img" pattern="^http(s)?://localhost:33337\/?(.*)" />
<action type="Rewrite" value="http{R:1}://sub.domain.com/{R:2}" />
</rule>
<preConditions>
<preCondition name="ResponseIsHtml1">
<add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>
<urlCompression doStaticCompression="false" doDynamicCompression="true" dynamicCompressionBeforeCache="false" />
</system.webServer>
</configuration>
BTW bear in mind that, qBittorrent warns you about the issue. Remember to check Execution Log tab.
I have a website in DNN 8.00.04.
Within this site I have 5 portals.
In the main portal all my cookies are secure and http only.
But on the other 4 portals they are not.
I have looked at the community of DNN but found nothing relevant.
How can i make sure that they are all secure ?
The 'tankpas_cookie_accept' is a cookie I create in code and is set to secure and httpOnly.
For the ASP.NET_SessionId I have used the following article to refresh the id:
Generating a new ASP.NET session in the current HTTPContext
But the other cookies are DNN cookies wich I don't know how to set them secure.
I allready tried to make the portal ssl enabled
through: Host - Site Management - (the portal) - Advanced setting - SSL Settings
SSL Enabled: checked
SSL Enforced: checked
--EDIT--
changing the webconfig from
<httpCookies httpOnlyCookies="true" requireSSL="false" domain="" />
to
<httpCookies httpOnlyCookies="true" requireSSL="true" domain="" />
Changing this however made the admin portal unavailable.
-- Edit 2--
Adding the following gives me a 505 Error when trying to open the site.
<rewrite>
<outboundRules>
<rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
<match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
<conditions>
<add input="{HTTPS}" pattern="on" ignoreCase="true" />
</conditions>
<action type="Rewrite" value="max-age=31536000; includeSubDomains; preload" />
</rule>
</outboundRules>
</rewrite>
cookies main portal
cookies second portal
Thx
Not sure if this is exactly what you need, but you could enable Strict Transport Security in the Web.Config.
<system.webServer>
<rewrite>
<outboundRules>
<rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
<match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
<conditions>
<add input="{HTTPS}" pattern="on" ignoreCase="true" />
</conditions>
<action type="Rewrite" value="max-age=31536000; includeSubDomains; preload" />
</rule>
</outboundRules>
</rewrite>
</system.webServer>
And enable secure cookies
<system.web>
<httpCookies httpOnlyCookies="true" requireSSL="true" lockItem="true" />
</system.web>