Saturday, June 11, 2016

more takeaways from a Cigital training at work this week

Some rather convoluted suggestions for abandoning ship in Forms Authentication (bolt account creds right into the Web.config file???):

  1. FormsAuthentication.SignOut();
    FormsAuthentication.RedirectToLoginPage();
  2. Session.Clear();
    Session.Abandon();
    Response.Cookies["ASP.NET_SessionId"].Value = string.Empty;
    Response.Cookies["ASP.NET_SessionId"].Expires =
          DateTime.Now.AddMonths(-20);
    Response.Redirect("login.aspx");

 
 

Also you can bring SSL into the mix in cookies!

HttpCookie RoleCookie = new HttpCookie("Role");
RoleCookie.Value = role;
RoleCookie.HttpOnly = true;
RoleCookie.Secure = true;
Request.Cookies.Add(RoleCookie);

 
 

This goes in the Web.config to make it happen:

<httpCookies httpOnlyCookies="true" requireSSL="true" domain="www.example.com" />

 
 

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)