Add the element ExcludedRolesToLogin tp the SiteSettings.config and specify
comma separate which roles are not allowed to login to the panel. e.g.:
<ExcludedRolesToLogin>Administrator,Reseller</ExcludedRolesToLogin>
By doing this you can eliminate the attack surface by publishing the portal
twice. One for the organization administrators and an internal one for the
adminsitrators and reseller admins
Available roles now in the platform: Administrator, Reseller, User, PlatformCSR,
PlatformHelpdesk, ResellerCSR, ResellerHelpdesk.
The platform CSR and Helpdesk are peer accounts on platform root level.
The names can be used within the websitepanel_pages.config on Page and Module
level. On module level the roles can be specified on the viewRoles attribute and
readOnlyRoles attribute. When specifying the later all controls will be disabled
within the Modile, the viewRoles just show the page or not. When nothing
specified the page is just shown
All authentication related cookies tagged as httpOnly
web.config: enabledVersionHeader=false
autocomplete disabled
Login url injection redirection fixed
session hijacking implemented
Dont forget to apply ssl to your website with https and to set the requireSSL="false" to true
