As are result of security penetration test the following changes applied:

All authentication related cookies tagged as httpOnly web.config: enabledVersionHeader=false autocomplete disabled Login url injection redirection fixed session hijacking implemented Dont forget to apply ssl to your website with https and to set the requireSSL="false" to true
2012-06-21 19:39:58 +04:00 · 2012-06-21 19:39:58 +04:00 · 38592df9e6
commit 38592df9e6
parent 6794315198
8 changed files with 397 additions and 121 deletions
--- a/WebsitePanel/Sources/WebsitePanel.WebPortal/DesktopModules/WebsitePanel/Code/Framework/PanelSecurity.cs
+++ b/WebsitePanel/Sources/WebsitePanel.WebPortal/DesktopModules/WebsitePanel/Code/Framework/PanelSecurity.cs
@ -130,6 +130,7 @@ namespace WebsitePanel.Portal
            HttpContext.Current.Items[key] = s;

            HttpCookie cookie = new HttpCookie(key, s);
+            cookie.HttpOnly = true;
            HttpContext.Current.Response.Cookies.Remove(key);
            HttpContext.Current.Response.Cookies.Add(cookie);
        }