Administration: Secure cookies
PREREQUISITES: You must have installed SSL on your site and you must have configured all backend pages to require SSL.
For more information, see Administration: Configure SSL.
Claims authentication
The .AspNet.Cookies is the cookie of the relaying party. The cookie of the STS depends on the protocol you use. It is one of the following:
-
idsrv
For OpenID Connect
.ASPXAUTH
For WRAP/SWT.
Relying party
To configure the security of the Relying party .AspNet.Cookies cookie, perform the following:
- Navigate to Administration » Settings » Advanced.
- In the left pane, expand Authentication and click RelyingParty.
- In the Authentication cookie security dropdown box, select one of the following:
- SameAsRequest
This is the default value. This way, the cookie is automatically secured, if the site is under SSL.
- Always
The cookie is always secured and must be served under HTTPS.
- Never
The cookie is not secured.
- Save your changes.
STS (OpenID Connect)
In OpenId Connect, the Security Token Service cookie idsrv is always configured as SameAsRequest.
STS (WRAT/SWT)
To secure the STS cookie in WRAP/SWT, perform the following:
- Open the
web.config file of the STS webapp.
- Inside section
<system.web>, find <authentication mode="None" /> and replace it with the following:
- Save and close the
web.config and restart the application.
The .ASPXAUTH cookie is secured.
- Run your project and clear all browser cookies.
Forms authentication
The .SFAUTH is the cookie connected to Forms authentication.
To secure the .SFAUTH cookie, perform the following:
- In Sitefinity CMS backend, click Administration » Settings » Advanced » Security.
- Select AuthCookieRequireSsl checkbox.
- Restart the application.
- Run your project and clear all browser cookies.