I found numerous examples of adding the HttpOnly to my cookies but it does not work for me and I am not sure why. All the examples I found were the same and I copied this one from one of the posts that I had found. I am using .NET 3.5 under IIS 7.0. Hopefully someone can tell me what I am doing wrong? Thanks
<rewrite>
<outboundRules>
<rule name="Add HttpOnly" preCondition="No HttpOnly">
<match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
<action type="Rewrite" value="{R:0}; HttpOnly" />
<conditions>
</conditions>
</rule>
<preConditions>
<preCondition name="No HttpOnly">
<add input="{RESPONSE_Set_Cookie}" pattern="." />
<add input="{RESPONSE_Set_Cookie}" pattern="; HttpOnly" negate="true" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>
UPDATE
I figured out how to turn on tracing and found that the preCondition is looking at all the cookies as a whole instead of each individual cookie.
So instead of evaluating
Set-Cookie: myC5=we have S Cookie; path=/; secure
Set-Cookie: myC6=we have S Cookie; path=/; secure
Set-Cookie: myC7=we have S Cookie; path=/; secure; HttpOnly
It is evaluating
myC5=we have S Cookie; path=/; secure,myC6=we have S Cookie; path=/; secure,myC7=we have S Cookie; path=/; secure; HttpOnly
Since the whole string has ; HttpOnly in it, the preCondition fails.
How do I get past this? Any ideas?
I finally got pass this so I wanted to post for others that might run into this. I removed my preConditions and just used conditions. I then had to use the back reference to get to the single cookie.
<rewrite>
<outboundRules>
<rule name="Add HttpOnly">
<match serverVariable="RESPONSE_Set_Cookie" pattern=".+" />
<conditions>
<add input="{R:0}" pattern="; HttpOnly" negate="true" />
</conditions>
<action type="Rewrite" value="{R:0}; HttpOnly" />
</rule>
<rule name="Add Secure">
<match serverVariable="RESPONSE_Set_Cookie" pattern=".+" />
<conditions>
<add input="{R:0}" pattern="; Secure" negate="true" />
</conditions>
<action type="Rewrite" value="{R:0}; Secure" />
</rule>
</outboundRules>
</rewrite>
Hope this helps someone in the future.
Related
The web service environment is operated by Windows 2012 server, IIS8.5, Classic asp.
this is problem about Chrome 80ver SameSite Issue.
On our site, we make payments by calling iframes and receive the results by returnurl.
However, there is a problem in returnurl that changes the existing session value (sometimes it is maintained and sometimes it is changed).
I tried to
First. Add header in source code as follows
Response.AddHeader "Set-Cookie", "SameSite=None; Secur; path=/; HttpOnly"
Second. Add web.config
<system.web>
<httpCookies httpOnlyCookies="true" requireSSL="true" sameSite="None" />
<sessionState cookieSameSite="None" />
Third. Add web.config rewrite
<rewrite>
<outboundRules>
<rule name="AddSameSiteCookieFlag">
<match serverVariable="RESPONSE_Set-Cookie" pattern="^(.*SessionID)(SameSite=Lax)" />
<action type="Rewrite" value="{R:1};SameSite=None" />
</rule>
</outboundRules>
Is there a way to set the samesite setting to none in IIS8.5?
I'm running the exact configuration mentioned in this question and found the following web.config rewrite rules to work as a baseline solution:
<rewrite>
<outboundRules>
<rule name="Add HttpOnly" preCondition="No HttpOnly">
<match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
<action type="Rewrite" value="{R:0}; HttpOnly" />
<conditions>
</conditions>
</rule>
<rule name="Add SameSite" preCondition="No SameSite">
<match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
<action type="Rewrite" value="{R:0}; SameSite=None; Secure" />
</rule>
<preConditions>
<preCondition name="No HttpOnly">
<add input="{RESPONSE_Set_Cookie}" pattern="." />
<add input="{RESPONSE_Set_Cookie}" pattern="; HttpOnly" negate="true" />
</preCondition>
<preCondition name="No SameSite">
<add input="{RESPONSE_Set_Cookie}" pattern="." />
<add input="{RESPONSE_Set_Cookie}" pattern="; SameSite=None; Secure" negate="true" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>
Will rule #2 get hit if rule #1 does first? Or will it stop at rule #1 for IIS Url Rewrite Module. I am trying to skip webfonts with the specific origin.
<outboundRules>
<rule name="Set Access-Control-Allow-Origin header">
<match serverVariable="RESPONSE_Access_Control_Allow_Origin" pattern=".*" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="true">
<add input="{HTTP_ORIGIN}" pattern="(http(s)?://((.+\.)?(thestatbook\.com|localhost:3000)))" />
</conditions>
<action type="Rewrite" value="{C:0}" />
</rule>
<rule name="Enable CORS for Fonts">
<match serverVariable="RESPONSE_Access_Control_Allow_Origin" pattern=".*" />
<conditions>
<add input="{REQUEST_URI}" pattern="^[^\?]+\.(ttf|otf|eot|woff|woff2|svg)(\?.*)?$" />
</conditions>
<action type="Rewrite" value="*" />
</rule>
</outboundRules>
Will rule #2 get hit if rule #1 does first? Or will it stop at rule #1 for IIS Url Rewrite Module.
As far as I know, both outboundRules wil hit. It will firstly run "Set Access-Control-Allow-Origin header", then "Enable CORS for Fonts". You could write a simple rule to and use postman to test it.
Rule like below:
This rule will modify the Access-Control-Allow-Origin and Server variable.
<outboundRules>
<rule name="removingserverheader" enabled="true" stopProcessing="true">
<match serverVariable="RESPONSE_SERVER" pattern=".*" />
<action type="Rewrite" value="0" />
</rule>
<rule name="Enable CORS for Fonts">
<match serverVariable="RESPONSE_Access_Control_Allow_Origin" pattern=".*" />
<conditions>
<add input="{HTTP_ORIGIN}" pattern=".*" />
</conditions>
<action type="Rewrite" value="2" />
</rule>
</outboundRules>
Result:
If you just want only one rule is fired not hit another rule. I suggest you could try to use StopProcessing flag.
It means when the rule action is performed (i.e. the rule matched) and this flag is turned on, it means that no more subsequent rules will be processed and the request will be passed to the IIS request pipeline. By default, this flag is turned off.
Rule like below:
<rewrite>
<outboundRules>
<rule name="removingserverheader" enabled="true" stopProcessing="true">
<match serverVariable="RESPONSE_SERVER" pattern=".*" />
<action type="Rewrite" value="0" />
</rule>
<rule name="Enable CORS for Fonts" enabled="true">
<match serverVariable="RESPONSE_Access_Control_Allow_Origin" pattern=".*" />
<conditions>
<add input="{HTTP_ORIGIN}" pattern=".*" />
</conditions>
<action type="Rewrite" value="2" />
</rule>
</outboundRules>
</rewrite>
Result:
I have a URL(auto-generated) which is having plus( + ) in the path and I was getting 404 for that.
I searched for a while a found that we can enable double encoding using the following:
<security>
<requestFiltering allowDoubleEscaping="true" />
</security>
The problem I am facing is with the rewrite rule for that URL, the plus is being replaced with whitespace in the captured groups:
<rule name="Test Page Rewrite" stopProcessing="true">
<match url="^test/([\-a-z0-9_.+]+)$" ignoreCase="true" />
<conditions>
<add input="{REQUEST_FILENAME}" matchType="IsDirectory" negate="true" />
</conditions>
<action type="Rewrite" url="test/index.cfm?p1={R:1}" />
</rule>
e.g.,
For URL: /test/test+page
The URL parameter available on the page is p1: test page
Is there any workaround for this to capture from the requested URL so that the URL parameter p1 will have a value of test+page(original)?
You can use UrlEncode function. This rule should work for you:
<rule name="Test Page Rewrite" stopProcessing="true">
<match url="^test/([\-a-z0-9_.+]+)$" ignoreCase="true" />
<conditions>
<add input="{REQUEST_URI}" pattern="^/test/index.cfm" negate="true" />
</conditions>
<action type="Rewrite" url="test/index.cfm?p1={UrlEncode:{R:1}}" />
</rule>
I have node.js server deployed in IIS on azure web sites and i want to block or redirect http requests. I use express + socket.io in my server.
I found 2 ways to do that:
in actual socket.io code by passing allowRequest parameter to socket.io. So my code will look like that :
var checkRequest = function (req, fn) {
fn(err, true);
};
var ioOptions = {
pingInterval: socketPingInterval,
pingTimeout: socketPingTimeout,
path: "/" + config.API_VERSION + "/socket.io",
allowRequest : checkRequest
};
_socketListener = io.listen(server, ioOptions);
the problem is that code never enters checkRequest method, and i dont know why.
Add rule to web.config file. I checked several forums, and everybody says that if i add this code:
<rule name="RedirecttoHTTPS">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
<add input="{URL}" pattern="/$" negate="true" />
<add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
</conditions>
<action type="Redirect" url="https://{SERVER_NAME}/{R:1}" redirectType="SeeOther" />
</rule>
It will redirect my hpt requests to HTTPS. But it still works and i can access via HTTP.
Can anyonw help with any option ?
Using Kudu Console, create an applicationhost.xdt file in your d:\home\site folder, containing the following:
<rewrite xdt:Transform="InsertIfMissing">
<rules xdt:Transform="InsertIfMissing">
<rule name="Force HTTPS" enabled="true" stopProcessing="true">
<match url="(.*)" ignoreCase="false" />
<conditions>
<add input="{HTTPS}" pattern="off" />
<add input="{WARMUP_REQUEST}" pattern="1" negate="true" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" appendQueryString="true" redirectType="Permanent" />
</rule>
</rules>
</rewrite>
</system.webServer>
And remove whatever you added to your web.config. This should just work.
This worked for me with a Node web app in Azure...
https://stpdev.wordpress.com/2015/09/23/force-https-redirection-for-nodejs-apps-hosted-in-azure/
<rewrite>
<rules>
<rule name="Force HTTPS" enabled="true">
<match url="(.*)" ignoreCase="false" />
<conditions>
<add input="{HTTPS}" pattern="off" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" appendQueryString="true" redirectType="Permanent" />
</rule>
</rules>
</rewrite>
According to this answer, for redirecting a mobile user to a mobile site you should add the HTTP header-
Vary: user-agent
I'm using IIS URL Rewrite module, with a rule like this-
<rule name="Production Mobile Rewrite 1" patternSyntax="ECMAScript" stopProcessing="true">
<match url="(.*)" ignoreCase="true" negate="false" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="false">
<add input="{HTTP_USER_AGENT}" pattern="midp|mobile|phone" />
<add input="{HTTP_HOST}" pattern="^www.example.com$" />
</conditions>
<action type="Redirect" url="http://m.example.com/{R:1}" appendQueryString="false" redirectType="Found" />
</rule>
How would I set the vary header in this response?