Follow

Info: Web site, Security and Cookies

Cookie and Security FAQs
 
Does the application perform input validation on all data or user inputs (e.g., user input field, cookie reads, etc)?
Answer: Yes. We have hardened our UI against Cross Site Scripting (XSS) and Cross Site Request Forgery (CSRF) attacks in all inputs as well as cookies.

Is the input validation performed based on what data is allowed (i.e., "white listing") or by filtering out unacceptable input (i.e., "black listing")?
Answer: Web Admin utilizes both methods depending on the particular input field in question.

Does the application use cookies?
Answer: Yes.

What functions do the cookies perform?
Answer: Security and some user preference settings (some grid column layouts, etc.)

What do the cookies contain?
Answer: Session ID and user preference information

Do the cookies contain any personal information or authentication credentials?
Answer: No personally identifiable information is stored in the cookies.

Are the cookies written to memory or the hard drive?
Answer: Only the web console preferences are written and kept beyond the life of the session. Other cookies are in-memory.

Does the application use web authentication cookies?
Answer: Yes

Is the cookie used for non-authentication purposes?
Answer: No

Is the cookie set to the narrowest/lowest path or domain needed in order to prevent inadvertent or unauthorized sharing of cookies by other web applications?
Answer: We’re using the default (/) today, not investigated to see if this can be narrowed further.

Are the cookies non-persistent?
Answer: Yes, we don’t store or reuse cookies.

Is the value of the cookie not predictable and does it provide 64-bit entropy?
Answer: Yes, we use a .NET random generator with 64-bit data.

Are default values not used for the name of the cookie?
Answer: Except for the default ASP.NET <http://asp.net>  session ID, we use generic names, “ASP.NET <http://asp.net> _SessionId”, “csrf”, and “_aptSession”.

Is the cookie set via SSL channel and are the 'secure' and 'HTTPOnly' attributes set?
Answer: Yes, all cookies are secure and HttpOnly enabled.

Can the cookie be manually deleted through a logout button that sets the cookie value to null or the cookie value is rendered invalid on the server after a period of inactivity?
Answer: Yes, cookies become invalid as soon as the user logs out or when the session times out.

Is the cookie cleared during the authentication of a user?
Answer: Yes. We reset cookies during the authentication process.

Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request

Comments

Powered by Zendesk