Kentico 11 - making .ASPXFORMSAUTH cookie secure

Question

I'm tasked with securing Kentico 11 site (11.0.47). Specifically, I must set secured flag for the .ASPXFORMSAUTH cookie.

Reading the documentation, I've modified web.config:

<forms loginUrl="CMSPages/logon.aspx" 
       defaultUrl="Default.aspx" 
       name=".ASPXFORMSAUTH" 
       timeout="60000" 
       slidingExpiration="true" 
       requireSSL="true" />

I also added:

<system.Web>
      <httpCookies httpOnlyCookies="true" requireSSL="true">
</system.Web>

without luck. I also tried adding lockItem="true" attribute to httpCookies element, but that broke Kentico Admin app. Some of the cookies get secured, but .ASPXFORMSAUTH doesn't.

Please check this https://stackoverflow.com/questions/21132912/secure-flag-for-aspxauth-cookie — vasu yerramsetti, Mar 06 '19 at 13:25

score 0 · Accepted Answer · answered Mar 11 '19 at 11:40

We've recently had this issue.

Setting the cookie in Application_EndRequest to secure as stated in the above comment also didn't help.

The only thing that enabled us to set the cookie to ssl only was to change the name of the auth cookie in the web.config file. This should not break any other existing functionality.

Something like this should work:

<forms loginUrl="CMSPages/logon.aspx" 
       defaultUrl="Default.aspx" 
       name=".ASPXFORMSAUTHENTICATION" 
       timeout="60000" 
       slidingExpiration="true" 
       requireSSL="true" />

We are still unsure why this happens, but it does fix the issue.

This may be because there was already a cookie present on the browser. I just made this same change and it did not update any existing cookies. It only set the flag for new cookies. Changing the name would also cause a new cookie to be created. — nbushnell, Apr 06 '20 at 22:32

Kentico 11 - making .ASPXFORMSAUTH cookie secure

1 Answers1