Ensures user cookie is encrypted, removes ASP.Net headers from being returned in our response. Ensures

that our auth cookie is httponly.
2013-04-25 13:25:25 -10:00
parent 34163625fe
commit 46858af1ed
5 changed files with 37 additions and 31 deletions
--- a/src/Umbraco.Web.UI/web.Template.config
+++ b/src/Umbraco.Web.UI/web.Template.config
@@ -81,7 +81,7 @@
    <globalization requestEncoding="UTF-8" responseEncoding="UTF-8" />
    <xhtmlConformance mode="Strict" />

-    <httpRuntime requestValidationMode="2.0" />
+    <httpRuntime requestValidationMode="2.0" enableVersionHeader="false" />

    <pages enableEventValidation="false">
      <!-- ASPNETAJAX -->
@@ -220,6 +220,14 @@
      <remove fileExtension=".air" />
      <mimeMap fileExtension=".air" mimeType="application/vnd.adobe.air-application-installer-package+zip" />
    </staticContent>
+
+    <!-- Ensure the powered by header is not returned -->
+    <httpProtocol>
+      <customHeaders>
+        <remove name="X-Powered-By"/>
+      </customHeaders>
+    </httpProtocol>
+    
  </system.webServer>

  <system.codedom>
--- a/src/Umbraco.Web/UmbracoApplication.cs
+++ b/src/Umbraco.Web/UmbracoApplication.cs
@@ -5,6 +5,7 @@ using System.Linq;
 using System.Text;
 using System.Web;
 using System.Web.Hosting;
+using System.Web.Mvc;
 using Umbraco.Core;
 using Umbraco.Core.Logging;
 using Umbraco.Web.Routing;
@@ -34,6 +35,9 @@ namespace Umbraco.Web
 		/// <param name="e"></param>
 		protected void Application_Start(object sender, EventArgs e)
 		{
+            //don't output the MVC version header (security)
+            MvcHandler.DisableMvcResponseHeader = true;
+
 			//boot up the application
 			_bootManager
 				.Initialize()
--- a/src/Umbraco.Web/UmbracoModule.cs
+++ b/src/Umbraco.Web/UmbracoModule.cs
@@ -424,6 +424,15 @@ namespace Umbraco.Web
 						LogHelper.Debug<UmbracoModule>("Total milliseconds for umbraco request to process: " + DateTime.Now.Subtract(UmbracoContext.Current.ObjectCreated).TotalMilliseconds);
 					}					
 				};
+
+            //disable asp.net headers (security)
+		    app.PreSendRequestHeaders += (sender, args) =>
+		        {
+                    var httpContext = ((HttpApplication)sender).Context;
+                    httpContext.Response.Headers.Remove("Server");
+                    //this doesn't normally work since IIS sets it but we'll keep it here anyways.
+                    httpContext.Response.Headers.Remove("X-Powered-By");
+		        };
 		}

 		public void Dispose()
--- a/src/umbraco.businesslogic/BasePages/BasePage.cs
+++ b/src/umbraco.businesslogic/BasePages/BasePage.cs
@@ -237,29 +237,21 @@ namespace umbraco.BasePages
        {
            get
            {
-                // zb-00004 #29956 : refactor cookies names & handling
                if (StateHelper.Cookies.HasCookies && StateHelper.Cookies.UserContext.HasValue)
-                    return StateHelper.Cookies.UserContext.GetValue();
-                else
                {
                    try
                    {
-                        string encTicket = StateHelper.Cookies.UserContext.GetValue();
-                        if (!String.IsNullOrEmpty(encTicket))
-                            return FormsAuthentication.Decrypt(encTicket).UserData;
+                        var encTicket = StateHelper.Cookies.UserContext.GetValue();
+                        if (string.IsNullOrEmpty(encTicket) == false)
+                        {
+                            return encTicket.DecryptWithMachineKey();
+                        }
                    }
                    catch (HttpException ex)
                    {
                        // we swallow this type of exception as it happens if a legacy (pre 4.8.1) cookie is set
                    }
-                    catch (ArgumentException ex)
-                    {
-                        // we swallow this one because it's 99.99% certaincy is legacy based. We'll still log it, though
-                        LogHelper.Error<BasePage>("An error occurred reading auth cookie value", ex);
-
-                    }
                }
-
                return "";
            }
            set
@@ -271,25 +263,15 @@ namespace umbraco.BasePages
                    if (StateHelper.Cookies.UserContext.HasValue)
                        StateHelper.Cookies.ClearAll();

-                    if (!String.IsNullOrEmpty(value))
-                    {
-                        FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1,
-                        value,
-                        DateTime.Now,
-                        DateTime.Now.AddDays(1),
-                        false,
-                        value,
-                        FormsAuthentication.FormsCookiePath);
-
-                        // Encrypt the ticket.
-                        string encTicket = FormsAuthentication.Encrypt(ticket);
-
+                    if (string.IsNullOrEmpty(value) == false)
+                    {                        
+                        // Encrypt the value
+                        var encTicket = value.EncryptWithMachineKey();

                        // Create new cookie.
-                    StateHelper.Cookies.UserContext.SetValue(value, 1);
-                        
-
-                    } else
+                        StateHelper.Cookies.UserContext.SetValue(encTicket, 1);
+                    }
+                    else
                    {
                        StateHelper.Cookies.UserContext.Clear();
                    }
--- a/src/umbraco.businesslogic/StateHelper.cs
+++ b/src/umbraco.businesslogic/StateHelper.cs
@@ -454,6 +454,9 @@ namespace umbraco.BusinessLogic
                    if (GlobalSettings.UseSSL)
                        cookie.Secure = true;

+                    //ensure http only, this should only be able to be accessed via the server
+                    cookie.HttpOnly = true;
+
                    cookie.Expires = expires;
                    ResponseCookie = cookie;