As are result of security penetration test the following changes applied:

All authentication related cookies tagged as httpOnly
web.config: enabledVersionHeader=false
autocomplete disabled
Login url injection redirection fixed
session hijacking implemented

Dont forget to apply ssl to your website with https and to set the requireSSL="false" to true
This commit is contained in:
robvde 2012-06-21 19:39:58 +04:00
parent 6794315198
commit 38592df9e6
8 changed files with 397 additions and 121 deletions

View file

@ -157,6 +157,7 @@
<Compile Include="Code\ContentPane.cs" />
<Compile Include="Code\Controls\DesktopContextValidator.cs" />
<Compile Include="Code\PortalUtils.cs" />
<Compile Include="Code\SecureSessionModule.cs" />
<Compile Include="Code\WebPortalControlBase.cs">
<SubType>ASPXCodeBehind</SubType>
</Compile>