Posts

Setting the HttpOnly Flag – ASP.NET

/0 Comments/in /by

Method #1

Add the following configuration to your web.config:

<system.web>
    <httpCookies httpOnlyCookies="true"  />
</system.web>

Method #2

In the code, use the System.Web.HttpCookie.HttpOnly property:

// Create an HttpOnly cookie.
HttpCookie theHttpOnlyCookie = new HttpCookie("LastVisit", DateTime.Now.ToString());
// Setting the HttpOnly value to true, makes
// this cookie accessible only to ASP.NET.
theHttpOnlyCookie.HttpOnly = true;
theHttpOnlyCookie.Name = "TheHttpOnlyCookie";
Response.AppendCookie(theHttpOnlyCookie);
// Show the name of the HttpOnly cookie.
Response.Write(theHttpOnlyCookie.Name);

References

http://msdn.microsoft.com/en-us/library/ms533046.aspx

Setting the HttpOnly Flag – Java

/0 Comments/in /by

For older versions of servlet

Add the following on cookie creation

String sessionid = request.getSession().getId();
response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + "; HttpOnly");

For servlet version 3.0 or later

Add the following lines into web.xml file

<session-config>
 <cookie-config>
  <http-only>true</http-only>
 </cookie-config>
<session-config>

Reference

https://www.owasp.org/index.php/HttpOnly#Using_Java_to_Set_HttpOnly

Clickjacking – Java Secure Coding

/0 Comments/in /by

Method #1 Adding the X-Frame-Options in HTTP header

 // to prevent all framing of this content
 response.addHeader( "X-FRAME-OPTIONS", "DENY" );
 
 // to allow framing of this content only by this site
 response.addHeader( "X-FRAME-OPTIONS", "SAMEORIGIN" );

Method #2 Including frame busting code

<style> html{display : none ; } </style>
<script>
   if( self == top ) {
       document.documentElement.style.display = 'block' ; 
   } else {
       top.location = self.location ; 
   }
</script>

References

https://www.owasp.org/index.php/Clickjacking_Protection_for_Java_E

Clickjacking – ASP.NET Secure Coding

/0 Comments/in /by

Method #1 Adding the X-Frame-Options in HTTP header

Add the code to the Application_BeginRequest method of global.asax file

void Application_BeginRequest(object sender, EventArgs e)
{
    HttpContext.Current.Response.AddHeader("x-frame-options", "DENY");
}

Method #2 Including frame busting code

<style> html{display : none ; } </style>
<script>
   if( self == top ) {
       document.documentElement.style.display = 'block' ; 
   } else {
       top.location = self.location ; 
   }
</script>

References

http://technet.microsoft.com/en-us/security/cc242650
http://blogs.msdn.com/b/sdl/archive/2009/02/05/clickjacking-defense-in-i…

Prevention of Web Page Caching – PHP

/0 Comments/in /by

Method

Add the following codes into the page, in order to prevent the page being cached

header('Cache-Control: no-cache, no-store, must-revalidate');
header('Pragma: no-cache'); 
header('Expires: 0');

Reference

http://wiki.asp.net/page.aspx/1487/prevent-browser-caching-of-web-pages-…
https://www.owasp.org/index.php/Testing_for_Logout_and_Browser_Cache_Man…(OWASP-AT-007)

Prevention of Web Page Caching – JAVA

/0 Comments/in /by

Method

Add the following codes into the page, in order to prevent the page being cached:

response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate");
response.setHeader("Pragma", "no-cache");
response.setDateHeader("Expires", 0);

Reference

https://weblogs.java.net/blog/swchan2/archive/2013/08/29/when-httpsessio…

Prevention of Web Page Caching – ASP.NET

/0 Comments/in /by

Method

Add the following codes into the page, in order to prevent the page being cached:

Response.AppendHeader("Cache-Control", "no-cache, no-store, must-revalidate");
Response.AppendHeader("Pragma", "no-cache"); 
Response.AppendHeader("Expires", "0");

Reference

http://support.microsoft.com/kb/234067
http://wiki.asp.net/page.aspx/1487/prevent-browser-caching-of-web-pages-…
http://msdn.microsoft.com/en-us/library/ms178606(v=vs.100).aspx
http://support.microsoft.com/kb/q222064

Setting Session Timeout – Apache

/0 Comments/in /by

Method#1 In php.ini file

Add the following code in php.ini file

session.gc_maxlifetime = 1000;

Method#2 Using .htaccess

Add the following line in .htaccess

ini_set( 'session.gc_maxlifetime' , 1000);

Method#3 In httpd.conf file

Add the line in httpd.conf file

Timeout 1000

(The digit denotes the number of second)

Reference

http://php.net/manual/en/ref.session.php

Setting Session Timeout – ASP.NET

/0 Comments/in /by

Method #1 in web.config 

Add the following codes in web.config (In this example it is the timeout set for 15 minutes.

 <system.web>
    <sessionState timeout="15">
    </sessionState>
 </system.web>

Method #2 in Global.asax

Add the following lines to  Session_Start event of Global.asax

void Session_Start(object sender, EventArgs e)
{
   Session.Timeout = 15;
}

References

http://msdn.microsoft.com/en-us/library/ms525473(v=VS.90).aspx

Setting Session Timeout – Java

/0 Comments/in /by

Method#1

In servlet call getMaxInactiveInterval method with session object.

HttpSession session = request.getSession();
session.setMaxInactiveInterval(900);

(In this example, session time out is set for 900 seconds.)

Method#2

Set timeout through web.xml

<session-config>
  <session-timeout>10</session-timeout>
</session-config>

(Here 10 minute is the time out .)

Reference

http://docs.oracle.com/cd/E17802_01/webservices/webservices/docs/1.6/api…