karuptdata
New Member
I'm seeing a strange response from our IIS site now that we've upgraded the host from Win2K3/IIS6 to Win2k8R2/IIS7.5. ASP.Net version 4.0We have a significantly complex and mature web application that uses Forms Authentication with the following config:\[code\]<authentication mode="Forms"> <forms loginUrl="~/Login" timeout="2000" domain="xx.xx.com" requireSSL="true" /></authentication>\[/code\]The Login URL directs to an ASP.Net MVC 3 page properly configured for SSL.The site behaved as expected in IIS6, but ever since the host migration, upon successful login the auth cookie in the response header is missing the Secure and HttpOnly attributes. This is problematic as we have a mixed content site with many HTTP pages. The auth cookie is now sent in every request, not just in requests over HTTPS and is now open to a session stealing vulnerability.Our Logoff link successfully sends a zero length cookie that does include the Secure and HttpOnly attributes.Here's the raw responses after successful login and logoff from Fiddler, edited to protect the innocent 
\[code\]Login Response:HTTP/1.1 200 OKCache-Control: privateContent-Type: application/json; charset=utf-8Set-Cookie: .ASPXAUTH=83FCCA...102D; domain=xx.xx.com; path=/Date: Fri, 25 Jan 2013 22:53:31 GMTContent-Length: 84{...}Logoff Response:HTTP/1.1 302 FoundCache-Control: privateContent-Type: text/html; charset=utf-8Location: http://xx.xx.com/?...Set-Cookie: .ASPXAUTH=; domain=xx.xx.com; expires=Tue, 12-Oct-1999 04:00:00 GMT; path=/; secure; HttpOnlySet-Cookie: logoff=; path=/Set-Cookie: ...Date: Fri, 25 Jan 2013 22:57:01 GMTContent-Length: 64053<html><head><title>...\[/code\]Changing the Integrated Pipeline setting of the app pool has no effect.Here are the important parts of the cookie creation code:\[code\] var ctx = HttpContextFactory.Current; var cookie = new HttpCookie( FormsAuthentication.FormsCookieName, FormsAuthentication.Encrypt( new FormsAuthenticationTicket( SessionId, false, Convert.ToInt32(FormsAuthentication.Timeout.TotalMinutes) ) ) ) { Domain = domain }; ctx.Response.Cookies.Add(cookie);\[/code\]Any thoughts on where to start looking for what's causing this?
\[code\]Login Response:HTTP/1.1 200 OKCache-Control: privateContent-Type: application/json; charset=utf-8Set-Cookie: .ASPXAUTH=83FCCA...102D; domain=xx.xx.com; path=/Date: Fri, 25 Jan 2013 22:53:31 GMTContent-Length: 84{...}Logoff Response:HTTP/1.1 302 FoundCache-Control: privateContent-Type: text/html; charset=utf-8Location: http://xx.xx.com/?...Set-Cookie: .ASPXAUTH=; domain=xx.xx.com; expires=Tue, 12-Oct-1999 04:00:00 GMT; path=/; secure; HttpOnlySet-Cookie: logoff=; path=/Set-Cookie: ...Date: Fri, 25 Jan 2013 22:57:01 GMTContent-Length: 64053<html><head><title>...\[/code\]Changing the Integrated Pipeline setting of the app pool has no effect.Here are the important parts of the cookie creation code:\[code\] var ctx = HttpContextFactory.Current; var cookie = new HttpCookie( FormsAuthentication.FormsCookieName, FormsAuthentication.Encrypt( new FormsAuthenticationTicket( SessionId, false, Convert.ToInt32(FormsAuthentication.Timeout.TotalMinutes) ) ) ) { Domain = domain }; ctx.Response.Cookies.Add(cookie);\[/code\]Any thoughts on where to start looking for what's causing this?