spacer    
  Search  
Blog Search
Others' posts of interest
Recent del.icio.us tags
Consumer evaluation of mental health and substance abuse providers - sharing experiences on the web

DNN SSL Security problem (unsafe cookie) with NoScript 1.8.1.2

Sep 17

Written by: Matthew Hile
9/17/2008 7:56 AM

I started having difficulties this morning with one of my DNN sites that uses SSL to protect the entry of a user's name/password combination. Before logging on I could view the publicly available web pages. After signing on, however, I still only saw the publicly available pages (there was no indication that I was signed on). Clicking the signin button again displayed all of the tabs (visible and invisible) but when I clicked on any that were NOT secure I was taken to a blank secure sign in page.

I cleared the cache, deleted cookies, even restarted the computer and tried again all to no avail. Then I remembered that my copy of NoScript had been updated when I started. Checking out the change log for the most recent version I found these additions

v 1.8.1.2
=====================================================================
x Switched "HTTPS|Automatic Secure Cookie Management" off by default:
  even if all the reported login issues (especially the ebay.com one)
  have been fixed, it probably deserves more testing from opt-in
  volunteers before a general "default-on" release 
+ Unsafe cookies can be handled either globally (default), or per tab
  (noscript.secureCookies.perTab)
x Fixed "force HTTPS" not working across some redirection patterns
image

This lead me to the NoScript options page. When I unchecked the "Enable Automatic Secure Cookies Management" option my site worked as expected. Rechecking it caused a failure. Adding my site to the "Ignore unsafe cookies set over HTTPS by the following sites" list also fixed my problem.

So, from this it looks like there may be a difficulty with the cookies being set by DNN when it uses SSL for security OR a problem with NoScript's new options. I am not sure which.

UPDATE: I heard from both the NoScript and DNN folks (within an hour of my reports). The consensus was that it was probably a problem with NoScript and its initial implementation of Automatic Secure Cookie Management. It is useful to note that the Newer versions of NoScript have turned this feature off by default. As for DNN, it uses "standard asp.net forms authentication cookies" and "automatically marks all cookies as being HttpOnly, so that cross-site scripting attempts cannot intercept cookie details to use in authentication/impersonation attacks."

Trackback Print
Location: Blogs Matthew's Musings
Tags:

1 comments so far...

Re: DNN SSL Security problem (unsafe cookie) with NoScript 1.8.1.2

Most likely DNN triggers another unknown yet issue with Automatic Secure Cookie Management, worth investigating.
I'm glad I turned it off by default in 1.8.1.2, even if the Ebay and the Twitter issue were already fixed.

By Giorgio Maone on   9/17/2008 8:44 AM

Your name:
Title:
Comment:
Add Comment    Cancel  
Disclaimer
NOTE: The ideas, opinions, and viewpoints expressed in these entries are solely those of the author.
There are no categories in this blog.
 
Missouri Institute of Mental Health    Terms Of Use    Privacy Statement