Administration: Secure cookies
PREREQUISITES: You must have installed SSL on your site and you must have configured all backend pages to require SSL.
For more information, see Administration: Configure SSL.
Claims authentication
The FedAuth and .ASPXAUTH are cookies connected to Claims authentication.
FedAuth is the cookie of the relaying party and .ASPXAUTH is the cookie of the STS.
NOTE: Depending on the size of the cookie, the relaying party can split the FedAuth cookie into more than one cookies, for example FedAuth and FedAuth1.
To secure the cookies, perform the following:
- Open your web.config file.
- Find and set to true the following:
<
cookieHandler
requireSsl
=
"true"
/>
FedAuth cookie is secured.
- Inside <system.web>, find <authentication mode="None" /> and replace it with the following:
<
authentication
mode
=
"None"
>
<
forms
requireSSL
=
"true"
/>
</
authentication
>
.ASPXAUTH cookie is secured.
- Save and close the web.config and restart the application.
- Run your project and clear all browser cookies.
NOTE: If your STS is not integrated and has a separate web.config file, perform Step 2 in the web.config of the relaying party and Step 3 in the web.config of the STS.
Forms authentication
The .SFAUTH is the cookie connected to Forms authentication.
To secure the .SFAUTH cookie, perform the following:
- In Sitefinity CMS backend, click Administration » Settings » Advanced » Security.
- Select AuthCookieRequireSsl checkbox.
- Restart the application.
- Run your project and clear all browser cookies.