Security :: Load Balancer / How To Make Cookie As Secure In Site
Oct 28, 2010
I have a doubt regarding secure cookie.
I have four servers 2 App Server(behind firewall) and 2 webservers and each server is accessing through Load Balancer.
App Server is a modules for Data Access layer and webserver is for Presentation layer.
My Issue is My Load Balancer has Secure certificate installed but certificate is not installed on servers and I want to make cookie as secure in site , as per my understanding " cookie should be set as secure only for SSL site other ways new session will get create every time" so should I install SSL certificate on webserver to make my cookie as secure or will it work properly even if only Load Balance has SSL.
View 5 Replies
Similar Messages:
Apr 19, 2010
Can somebody explain what ASPXAuth cookie does?
My website uses forms auth and I am trying to create a load balancer (hardware) rule which will keep track of sessions based on the aspxauth cookie. Is it safe assume that the value of the cookie is unique?
View 2 Replies
Dec 3, 2010
we have an web site access on PRODTEST Environment . We are facing an issue site works fine when we try to access the site using the Individual Server names (with Ip address).
View 2 Replies
Jan 31, 2011
I have precompiled and encrypted my webconfig. What else could I do to make my site secure.
View 2 Replies
Feb 8, 2010
I don't think the site has a web service available, so I need to pass the login credentials and read the xml file (e.g.https://www.somesite.com/needthisfile.xml). What do I use to do this?
View 1 Replies
Jan 7, 2010
I'm trying to write a small application to collect(Scrape) one piece of data from a web site. I would like to be able to simply run the app and it will open the page, find the one piece of data and display it. So far so good...my problem is that the web site is a secure site, meaning I have to provide a user name and password. I've searched all over the web, found many discussions but have yet to find anything that provides specifics on how to accomplish this. I understand a little bit about tokens etc, but I'm really looking for a detailed description of how to do this. Please feel free to direct me to a different forum if I'm in the wrong place.
View 3 Replies
Apr 8, 2010
Requirment is to stop more than one user to login at a time using same user id.I am storeing user id in session. I searched the internet and found some ways but somehow they do not work in these situations:If javascript in brower is turned off. If user do not click logout and directly close brower.
View 3 Replies
Aug 10, 2010
I have a GUI when i log in i create a cookie and it encrypt it. I am usin SSL.
I check in the Login.aspx page if the cookie is secure, which it is. but then before going to the default page it goes to the Global.ascx page.
Here in the Application_AuthenticateRequest it gets the cookie and decrypts it for the default page..
Now i know that it is getting the same cookie as all the other attributes match the one that was created in the Login.aspx page excet that the secure value is "False".
this is the case for all other pages after default. the value of the cookie.secure is false.
why is this happening as i want all the pages to be secure by SSL.
Also the pages are opening as https not http.
here is my web.config
[code]....
View 1 Replies
Mar 10, 2011
i am trying to secure cookies in my asp.net 2.0 web application but web i try to use the following code in web.config
<httpRuntime enableVersionHeader="False"/>
<httpCookies httpOnlyCookies="true" requireSSL="true"/>
View 3 Replies
Dec 31, 2010
How to make a secure login page using sql database by matching a user name and password and redirect them to differnt page as admin and user
View 2 Replies
Aug 18, 2010
I have a couple of servers and a load balancer. I want to show a server name which is currently serving the page.
I am using HttpContext.Current.Request.ServerVariables["SERVER_NAME"] and HttpContext.Current.Request.ServerVariables["LOCAL_ADDR"] but is shows the same data for all servers (load balancer information is shown but not the information about exact server name).
How to get a relevant information?
View 2 Replies
Jan 28, 2010
I'm creating web application behind load balancer. To this moment I configured it to store session in database but I'm not sure how should I handle session expiration. The problem is not sessions are not removed from database but Session_End event because I have to call some web service method in it.
Assuming Session_End is called when expires the thing I'm afraid of is situation when session is created on one server but finished on another. In this case I'm afraid Session_End on first server will be executed prematurely and I will call web service too early. What would you suggest in this situation?
Edit:
I remember some time ago reading about Sql Agent reacting to session end event and then performing custom code. Can anybody confirm that this solution is possible?
View 2 Replies
Jan 5, 2011
We are using Two servers for our application managed by a load balancer. One of which server contains Windows server 2003 & other one contains Windows server 2008. When a request is served by windows 2003 server and its subsequent goes to the other one (2008 server). Users gets log out. Are we need same Operating systems on both systems because( when request served by 2008, and subsequent on 2003 is served without any issue).
View 1 Replies
May 16, 2010
I have published a website and installed it on my local machine and it works fine, but when i install it on the both servers who controlled from the load balancer i got an error like the WebResource.axd not found. how can i resolve this problem? i have checked the IIS for axd mapping, the "Check that file exists" is unchecked for both servers.
View 2 Replies
Dec 21, 2010
We host a SaaS application on 4 windows 2008 servers loadbalancer via a LVS. We use infragistics and Ajax Control Toolkit on several pages, one page represents a list of people using a Web Datagrid, each time a person is clicked in the list, an Ultra Web Tab component is updated at the botom of the page with detailed information on that person. After a certain amount of clics on different people (number of clics can be between 1 and 5) Scriptresource.axd craches with the following error :
[Code]....
I don't get this error when I run my application on one server using the server's private IP adress. I tried to synchronize the dates of the dlls System.Web and System.Web.Extensions on each server, I still get the same error.
View 3 Replies
Sep 3, 2010
I haven't deployed behind a load balancer before. My customer has a WCF service built and tested on servers using a service model configuration that is relatively straightforward. It provides a service to return an image of a map for another application. To get the map, it calls other services.
The service was built in Visual Studio 2010 targeting the 3.5 framework. The customer is using IIS 7.5 and an F5 load balancer. When moving to the production server, the Web.config was changed to add the load balancer behavior and specify the endpoint to show the physical and logical address of the service:
[Code].....
There was a problem when the service was deployed to a server behind the load balancer. When I try to call the service from WCFStorm or WebServiceStudio I get the message "The provided URI scheme 'https' is invalid; expected 'http'.
The endpoints for the service itself look right to me. However in the development and testing versions of the config, the client section uses http instead of http, while on the production servers it uses the load balancer's https address. This seems like it should be obvious, but we're missing it.
View 1 Replies
Sep 30, 2010
Our server operations team has asked the web development team (ASP.NET) to provide a URL in our application, which the load balancer can ping to perform health checks.
What should be executed on this page? I think we should attempt a database connection to ensure connectivity between the web and database.
View 2 Replies
Dec 21, 2010
One issue with ASP.NET apps is that they periodically reload themselves, causing a long delay and possibly timeout for users who hit the site during that time.
This may not be a problem for small websites, but it can represent significant downtime for high-traffic sites, if users happen to get routed to node in the web farm that is restarting.
Can load balancers somehow "know" if an ASP.NET application domain on a specific server is restarting? Then, they can route traffic around this server until the application has completed restarting.
Currently, I have my load balancer ping a simple .aspx page on the site. If there is a delay or the page fails to load, the host is taken out of rotation. Is it possible to do a more targeted health check, perhaps at the IIS level rather than ASP.NET level?
View 2 Replies
Sep 3, 2010
I have the following web farm setup in production server. Browser --> HTTPS --> Load Balancer --> HTTP --> webserver node F5 Load balancer handles off box SSL termination. It implies that SSL resides on F5 load balancer. Problem Statement: Ajax calls do not go through unless "Access data sources across domains" option is enabled in IE security settings.
I have the similar setup in staging server except F5 Load balancer. The ASP.Net application makes perfect AJAX calls on both HTTP and HTTPS. However, the staging server web farm use windows NLB and SSL resides on individual web server nodes
View 3 Replies
Mar 5, 2011
I've recently read one of Jeff's articles about XSS and it got me thinking about how to better protect the login cookies in my home cooked authentication system.
[code]....
so one of the questionable things I do is use the UserAgent string. Is there harm in doing this? Or browsers which will change their UserAgent string under normal operation(as in, without being updated)? My goal is basically for if an attacker gets a login cookie, for them to not be able to do anything with it. At the moment, the only info I store in the cookie plain text is the username.
View 1 Replies
Aug 3, 2010
I have 3 servers where 1 of them serves as a load balancing server. In my ASPX page, I want to add a HTML comment to show the IP address or even host name of the server selected by the load balancer. I tried looking through IIS Server variables and tried using SERVER_NAME but that just returns the domain URL.
View 2 Replies
Jul 28, 2010
I have 2 sites, one the main product site the other a secure site featuring the basket and checkout processes.
When a user clicks "add item to basket" I am creating a basket in a database and then adding the items to the basket. The theory was then to store the id from the database for the basket (the basketid) in a cookie, redirect the user to secure site, use the basket id from the cookie and display the contents in the basket.
However I am having trouble getting the secure site to use the same cookie. When I redirect the users to the secure site, the basket appears empty. I need to go back to the main site and then back to secure before the cookie appears.
Here is the code for the cookie
[Code]....
And then on the secure site this is how it gets the basket ID from the cookie
[Code]....
But like I say it's having problems. I've tried replacing the cookies with session variables as well but it didn't work.
View 1 Replies
Oct 24, 2010
I have a custom mini login user control that I have embedded in the top of my website which shows on every page. These pages are non-secure HTTP://. I would like to avoid having to redirect the user to a HTTPS page to perform the login but I definitely don't want to send login credentials to the server in plain text.
I am trying find a method to send the user's login credentials encrypted via https from a non-secure (http) page.
I tried to set the postbackurl for the login button to itself but in https, but the user's input is not retained and the buttonLogin_click is not fired when I set the button postbackurl property. My ASP.net web application is VB.Net framework 4.0
I am assuming this can be done because I see lots of websites where login fields are on available on every page and they are running http and I can believe they are not encrypting the login credentials.
View 3 Replies
Jan 14, 2010
[Code]....
I have the above statement in the Page_Load sub on the masterpage. When I run "Start Debugging" from VS 2008 it works fine. However, when I publish the Web Site (on the same machine) and try to load the site from our internal network, the information is blank.
View 2 Replies
Nov 23, 2010
I want to develop a site with secure login. i followed various tutorials, and created a site, based on the default master page. I believe i set up the asp.net configurations correctly. under security, changed authentication type to "from the internet", added roles, added users based on those roles. when i compile the project and test the log in, it works fine. but, in visual studio 2010's Solution Explorer the App_Data folder is grayed out and i cannot get into it to view the database. how do i view the tables and create new tables?
View 4 Replies
