diff --git a/src/Umbraco.Web.UI/web.Template.config b/src/Umbraco.Web.UI/web.Template.config
index 27c815253a..2dea7c980d 100644
--- a/src/Umbraco.Web.UI/web.Template.config
+++ b/src/Umbraco.Web.UI/web.Template.config
@@ -81,7 +81,7 @@
-
+
@@ -220,6 +220,14 @@
+
+
+
+
+
+
+
+
diff --git a/src/Umbraco.Web/UmbracoApplication.cs b/src/Umbraco.Web/UmbracoApplication.cs
index c3d32c2ce2..c7e5efc9c6 100644
--- a/src/Umbraco.Web/UmbracoApplication.cs
+++ b/src/Umbraco.Web/UmbracoApplication.cs
@@ -5,6 +5,7 @@ using System.Linq;
using System.Text;
using System.Web;
using System.Web.Hosting;
+using System.Web.Mvc;
using Umbraco.Core;
using Umbraco.Core.Logging;
using Umbraco.Web.Routing;
@@ -34,6 +35,9 @@ namespace Umbraco.Web
///
protected void Application_Start(object sender, EventArgs e)
{
+ //don't output the MVC version header (security)
+ MvcHandler.DisableMvcResponseHeader = true;
+
//boot up the application
_bootManager
.Initialize()
diff --git a/src/Umbraco.Web/UmbracoModule.cs b/src/Umbraco.Web/UmbracoModule.cs
index f839c74a17..cc5669c64f 100644
--- a/src/Umbraco.Web/UmbracoModule.cs
+++ b/src/Umbraco.Web/UmbracoModule.cs
@@ -424,6 +424,15 @@ namespace Umbraco.Web
LogHelper.Debug("Total milliseconds for umbraco request to process: " + DateTime.Now.Subtract(UmbracoContext.Current.ObjectCreated).TotalMilliseconds);
}
};
+
+ //disable asp.net headers (security)
+ app.PreSendRequestHeaders += (sender, args) =>
+ {
+ var httpContext = ((HttpApplication)sender).Context;
+ httpContext.Response.Headers.Remove("Server");
+ //this doesn't normally work since IIS sets it but we'll keep it here anyways.
+ httpContext.Response.Headers.Remove("X-Powered-By");
+ };
}
public void Dispose()
diff --git a/src/umbraco.businesslogic/BasePages/BasePage.cs b/src/umbraco.businesslogic/BasePages/BasePage.cs
index 5ff368e264..87c2ae4050 100644
--- a/src/umbraco.businesslogic/BasePages/BasePage.cs
+++ b/src/umbraco.businesslogic/BasePages/BasePage.cs
@@ -237,29 +237,21 @@ namespace umbraco.BasePages
{
get
{
- // zb-00004 #29956 : refactor cookies names & handling
if (StateHelper.Cookies.HasCookies && StateHelper.Cookies.UserContext.HasValue)
- return StateHelper.Cookies.UserContext.GetValue();
- else
{
try
{
- string encTicket = StateHelper.Cookies.UserContext.GetValue();
- if (!String.IsNullOrEmpty(encTicket))
- return FormsAuthentication.Decrypt(encTicket).UserData;
+ var encTicket = StateHelper.Cookies.UserContext.GetValue();
+ if (string.IsNullOrEmpty(encTicket) == false)
+ {
+ return encTicket.DecryptWithMachineKey();
+ }
}
catch (HttpException ex)
{
// we swallow this type of exception as it happens if a legacy (pre 4.8.1) cookie is set
}
- catch (ArgumentException ex)
- {
- // we swallow this one because it's 99.99% certaincy is legacy based. We'll still log it, though
- LogHelper.Error("An error occurred reading auth cookie value", ex);
-
- }
}
-
return "";
}
set
@@ -271,25 +263,15 @@ namespace umbraco.BasePages
if (StateHelper.Cookies.UserContext.HasValue)
StateHelper.Cookies.ClearAll();
- if (!String.IsNullOrEmpty(value))
- {
- FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1,
- value,
- DateTime.Now,
- DateTime.Now.AddDays(1),
- false,
- value,
- FormsAuthentication.FormsCookiePath);
-
- // Encrypt the ticket.
- string encTicket = FormsAuthentication.Encrypt(ticket);
-
+ if (string.IsNullOrEmpty(value) == false)
+ {
+ // Encrypt the value
+ var encTicket = value.EncryptWithMachineKey();
// Create new cookie.
- StateHelper.Cookies.UserContext.SetValue(value, 1);
-
-
- } else
+ StateHelper.Cookies.UserContext.SetValue(encTicket, 1);
+ }
+ else
{
StateHelper.Cookies.UserContext.Clear();
}
diff --git a/src/umbraco.businesslogic/StateHelper.cs b/src/umbraco.businesslogic/StateHelper.cs
index da79724f2b..387efd2ca3 100644
--- a/src/umbraco.businesslogic/StateHelper.cs
+++ b/src/umbraco.businesslogic/StateHelper.cs
@@ -454,6 +454,9 @@ namespace umbraco.BusinessLogic
if (GlobalSettings.UseSSL)
cookie.Secure = true;
+ //ensure http only, this should only be able to be accessed via the server
+ cookie.HttpOnly = true;
+
cookie.Expires = expires;
ResponseCookie = cookie;