Reputation: 1
DNN cookies not secure on all portals
I have a website in DNN 8.00.04. Within this site I have 5 portals.
In the main portal all my cookies are secure and http only. But on the other 4 portals they are not.
I have looked at the community of DNN but found nothing relevant. How can I make sure that they are all secure?
- The 'tankpas_cookie_accept' is a cookie I create in code and is set to secure and httpOnly.
- For the ASP.NET_SessionId I have used the following article to refresh the id: Generating a new ASP.NET session in the current HTTPContext
But the other cookies are DNN cookies which I don't know how to set them secure.
I already tried to make the portal ssl enabled through: Host - Site Management - (the portal) - Advanced setting - SSL Settings
SSL Enabled: checked
SSL Enforced: checked
--EDIT--
changing the webconfig from
<httpCookies httpOnlyCookies="true" requireSSL="false" domain="" />
to
<httpCookies httpOnlyCookies="true" requireSSL="true" domain="" />
Changing this however made the admin portal unavailable.
-- Edit 2-- Adding the following gives me a 505 Error when trying to open the site.
<rewrite>
<outboundRules>
<rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
<match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
<conditions>
<add input="{HTTPS}" pattern="on" ignoreCase="true" />
</conditions>
<action type="Rewrite" value="max-age=31536000; includeSubDomains; preload" />
</rule>
</outboundRules>
</rewrite>
Thanks
Upvotes: 0
Views: 922
Answers (1)
Reputation: 35514
Not sure if this is exactly what you need, but you could enable Strict Transport Security in the Web.Config.
<system.webServer>
<rewrite>
<outboundRules>
<rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
<match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
<conditions>
<add input="{HTTPS}" pattern="on" ignoreCase="true" />
</conditions>
<action type="Rewrite" value="max-age=31536000; includeSubDomains; preload" />
</rule>
</outboundRules>
</rewrite>
</system.webServer>
And enable secure cookies
<system.web>
<httpCookies httpOnlyCookies="true" requireSSL="true" lockItem="true" />
</system.web>
Upvotes: 1
Related Questions
- DNN Login across multiple sites
- SSO for DNN websites
- Secure Cookie Issue: Cookies only secure sometimes
- DNN: losing login session after home page
- Why is DNN killing my authentication cookies when I access an ashx from a child portal?
- DNN error setting site to HTTPS
- Can't read cookies (Using jQuery and cookies plugin)
- DotNetNuke : How to do single sing-on to multiple portals
- DotNetNuke (dnn) login problems in IE7
- Why are two authentication cookies being created? One for www and the other without the www