Last post Sep 22, 2008 03:20 PM by Lee Dumond
Sep 18, 2008 04:39 PM|JamesSAEP|LINK
Well, I"m not sure if this was the correct thing to do, but I changed the following three settings in the web.config:
1. OLD: <forms cookieless="AutoDetect" loginUrl="~/AccessDenied.aspx" name="TBHFORMAUTH"/>
NEW: <forms loginUrl="~/Member/Login.aspx" name="TBHFORMAUTH"/>
2. OLD: <sessionState cookieless="AutoDetect"/>
NEW: <!-- <sessionState cookieless="AutoDetect"/> -->
3. OLD: <anonymousIdentification cookieless="AutoDetect" enabled="false"/>
NEW: <!-- <anonymousIdentification cookieless="AutoDetect" enabled="false"/> -->
Sep 18, 2008 07:02 PM|cv_vikram|LINK
Friend, those are options for the application to have cookies or not. If you make it as true, then the cookies will not be used.
I don't know why you want to remove them! But anyways I beleive it will not harm anyway if removed.
For more information on them, refer here : http://www.sitepoint.com/article/web-config-file-demystified/
Sep 18, 2008 07:02 PM|Lee Dumond|LINK
I can't see where there are any changes to #2 or #3.
With #1, you should be fine. Using an Access Denied page at the loginUrl is useful when you have login controls that render on every page. If you are using a dedicated login page, it would be better to use that as the loginUrl instead.
Sep 19, 2008 10:26 AM|JamesSAEP|LINK
Thanks for the replys. The reason I have made the changes is that when I Google my site and click on a link to an article or anything that takes me to my site, the link has a bunch of extra formatting. For example, I have a contact.aspx page that is at:
But, the link that Google shows and puts in the address bar, even when on my site, is the following:
All the links have a variation of the extra code: /(S(cfmllfq15...jw3vwwjg)).
Lee, the changes to #2 and #3 is that I put <!-- line --> on the line (removed them).
Sep 19, 2008 10:47 AM|Lee Dumond|LINK
Okay, I gotcha. In that case, there would be no need to comment out the whole line like you have. Just remove the cookieless="AutoDetect" part from sessionState. You could safely leave it in for the other two lines, as Google is an anonymous user.
By the way, that extra junk is the session ID. If you already have URLs in Google that have session IDs like this, this is a potential security risk. That's because if more than one user clicks on that link and visits your site at the same time, they will
now be sharing the same session. That's very bad.
You can fix this by doing this:
<sessionState regenerateExpiredSessionID='true" />
This will tell the server to ignore the session ID in the URL and to generate a new session ID for every user.
Sep 19, 2008 11:23 AM|JamesSAEP|LINK
Thanks, Lee. Ok, I have made the folloiwng changes:
1. Put back the cookieless="AutoDetect"
<forms cookieless="AutoDetect" loginUrl="~/Member/Login.aspx" name="TBHFORMAUTH"/>
2. Put back the line and removed cookieless="AutoDetect"
3. Changed the sessonState
<sessionState regenerateExpiredSessionId="true" />
Are these the changes that should be done to solve Goolge problem and the security issue?
Sep 19, 2008 11:41 AM|Lee Dumond|LINK
Sep 19, 2008 11:46 AM|JamesSAEP|LINK
Cool, thanks. If the setting is a security issue, shouldn't it be changed on the project files at Codeplex?
Sep 19, 2008 12:18 PM|Lee Dumond|LINK
The original download -- the "official" one hosted by the publisher at the Wrox.com site -- has no sessionState setting in web.config at all. Therefore, it's not an issue there.
I have no idea what the download at CodePlex has. If it has a sessionState with cookieless="AutoDetect", then yes, absolutely it should be changed.
The security issue only arises if you set cookieless="AutoDetect" in sessionState, or if you have had it set that way in the past, such that there are links out there with session IDs embedded in URLs. Therefore, whenever you are using cookieless sessions,
you should always set regenerateExpiredSessionId="true".
Sep 22, 2008 02:41 PM|JamesSAEP|LINK
Ok, I just went to the website for the code (http://www.wrox.com/WileyCDA/WroxTitle/productCd-0764584642,descCd-DOWNLOAD.html" and it downloads the code from (http://media.wiley.com/product_ancillary/42/07645846/DOWNLOAD/TheBeerHouseVB-final.zip" and in
the web.config file it has line 84 as <sessionState cookieless="AutoDetect"/>.
Sep 22, 2008 03:20 PM|Lee Dumond|LINK
Well, there you go... I guess they've changed it over the past couple of years. [:)]
This doesn't change what I said though...