From 46858af1ed6dbd1d3986f690aa2982d4bdfa8778 Mon Sep 17 00:00:00 2001
From: Shannon Deminick <sdeminick@gmail.com>
Date: Thu, 25 Apr 2013 13:25:25 -1000
Subject: [PATCH] Ensures user cookie is encrypted, removes ASP.Net headers
 from being returned in our response. Ensures that our auth cookie is
 httponly.

---
 src/Umbraco.Web.UI/web.Template.config        | 10 ++++-
 src/Umbraco.Web/UmbracoApplication.cs         |  4 ++
 src/Umbraco.Web/UmbracoModule.cs              |  9 ++++
 .../BasePages/BasePage.cs                     | 42 ++++++-------------
 src/umbraco.businesslogic/StateHelper.cs      |  3 ++
 5 files changed, 37 insertions(+), 31 deletions(-)

diff --git a/src/Umbraco.Web.UI/web.Template.config b/src/Umbraco.Web.UI/web.Template.config
index 27c815253a..2dea7c980d 100644
--- a/src/Umbraco.Web.UI/web.Template.config
+++ b/src/Umbraco.Web.UI/web.Template.config
@@ -81,7 +81,7 @@
     <globalization requestEncoding="UTF-8" responseEncoding="UTF-8" />
     <xhtmlConformance mode="Strict" />
 
-    <httpRuntime requestValidationMode="2.0" />
+    <httpRuntime requestValidationMode="2.0" enableVersionHeader="false" />
 
     <pages enableEventValidation="false">
       <!-- ASPNETAJAX -->
@@ -220,6 +220,14 @@
       <remove fileExtension=".air" />
       <mimeMap fileExtension=".air" mimeType="application/vnd.adobe.air-application-installer-package+zip" />
     </staticContent>
+
+    <!-- Ensure the powered by header is not returned -->
+    <httpProtocol>
+      <customHeaders>
+        <remove name="X-Powered-By"/>
+      </customHeaders>
+    </httpProtocol>
+    
   </system.webServer>
 
   <system.codedom>
diff --git a/src/Umbraco.Web/UmbracoApplication.cs b/src/Umbraco.Web/UmbracoApplication.cs
index c3d32c2ce2..c7e5efc9c6 100644
--- a/src/Umbraco.Web/UmbracoApplication.cs
+++ b/src/Umbraco.Web/UmbracoApplication.cs
@@ -5,6 +5,7 @@ using System.Linq;
 using System.Text;
 using System.Web;
 using System.Web.Hosting;
+using System.Web.Mvc;
 using Umbraco.Core;
 using Umbraco.Core.Logging;
 using Umbraco.Web.Routing;
@@ -34,6 +35,9 @@ namespace Umbraco.Web
 		/// <param name="e"></param>
 		protected void Application_Start(object sender, EventArgs e)
 		{
+            //don't output the MVC version header (security)
+            MvcHandler.DisableMvcResponseHeader = true;
+
 			//boot up the application
 			_bootManager
 				.Initialize()
diff --git a/src/Umbraco.Web/UmbracoModule.cs b/src/Umbraco.Web/UmbracoModule.cs
index f839c74a17..cc5669c64f 100644
--- a/src/Umbraco.Web/UmbracoModule.cs
+++ b/src/Umbraco.Web/UmbracoModule.cs
@@ -424,6 +424,15 @@ namespace Umbraco.Web
 						LogHelper.Debug<UmbracoModule>("Total milliseconds for umbraco request to process: " + DateTime.Now.Subtract(UmbracoContext.Current.ObjectCreated).TotalMilliseconds);
 					}					
 				};
+
+            //disable asp.net headers (security)
+		    app.PreSendRequestHeaders += (sender, args) =>
+		        {
+                    var httpContext = ((HttpApplication)sender).Context;
+                    httpContext.Response.Headers.Remove("Server");
+                    //this doesn't normally work since IIS sets it but we'll keep it here anyways.
+                    httpContext.Response.Headers.Remove("X-Powered-By");
+		        };
 		}
 
 		public void Dispose()
diff --git a/src/umbraco.businesslogic/BasePages/BasePage.cs b/src/umbraco.businesslogic/BasePages/BasePage.cs
index 5ff368e264..87c2ae4050 100644
--- a/src/umbraco.businesslogic/BasePages/BasePage.cs
+++ b/src/umbraco.businesslogic/BasePages/BasePage.cs
@@ -237,29 +237,21 @@ namespace umbraco.BasePages
         {
             get
             {
-                // zb-00004 #29956 : refactor cookies names & handling
                 if (StateHelper.Cookies.HasCookies && StateHelper.Cookies.UserContext.HasValue)
-                    return StateHelper.Cookies.UserContext.GetValue();
-                else
                 {
                     try
                     {
-                        string encTicket = StateHelper.Cookies.UserContext.GetValue();
-                        if (!String.IsNullOrEmpty(encTicket))
-                            return FormsAuthentication.Decrypt(encTicket).UserData;
+                        var encTicket = StateHelper.Cookies.UserContext.GetValue();
+                        if (string.IsNullOrEmpty(encTicket) == false)
+                        {
+                            return encTicket.DecryptWithMachineKey();
+                        }
                     }
                     catch (HttpException ex)
                     {
                         // we swallow this type of exception as it happens if a legacy (pre 4.8.1) cookie is set
                     }
-                    catch (ArgumentException ex)
-                    {
-                        // we swallow this one because it's 99.99% certaincy is legacy based. We'll still log it, though
-                        LogHelper.Error<BasePage>("An error occurred reading auth cookie value", ex);
-
-                    }
                 }
-
                 return "";
             }
             set
@@ -271,25 +263,15 @@ namespace umbraco.BasePages
                     if (StateHelper.Cookies.UserContext.HasValue)
                         StateHelper.Cookies.ClearAll();
 
-                    if (!String.IsNullOrEmpty(value))
-                    {
-                        FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1,
-                        value,
-                        DateTime.Now,
-                        DateTime.Now.AddDays(1),
-                        false,
-                        value,
-                        FormsAuthentication.FormsCookiePath);
-
-                        // Encrypt the ticket.
-                        string encTicket = FormsAuthentication.Encrypt(ticket);
-
+                    if (string.IsNullOrEmpty(value) == false)
+                    {                        
+                        // Encrypt the value
+                        var encTicket = value.EncryptWithMachineKey();
 
                         // Create new cookie.
-                    StateHelper.Cookies.UserContext.SetValue(value, 1);
-                        
-
-                    } else
+                        StateHelper.Cookies.UserContext.SetValue(encTicket, 1);
+                    }
+                    else
                     {
                         StateHelper.Cookies.UserContext.Clear();
                     }
diff --git a/src/umbraco.businesslogic/StateHelper.cs b/src/umbraco.businesslogic/StateHelper.cs
index da79724f2b..387efd2ca3 100644
--- a/src/umbraco.businesslogic/StateHelper.cs
+++ b/src/umbraco.businesslogic/StateHelper.cs
@@ -454,6 +454,9 @@ namespace umbraco.BusinessLogic
                     if (GlobalSettings.UseSSL)
                         cookie.Secure = true;
 
+                    //ensure http only, this should only be able to be accessed via the server
+                    cookie.HttpOnly = true;
+
                     cookie.Expires = expires;
                     ResponseCookie = cookie;