We're updating some of our product names. K2 Five will soon be Nintex Automation On-Prem. You may see both product names in our help pages while we make this change.

Enabling secure cookies for K2 sites

K2 recommends that you use the SSL (HTTPS protocol) when configuring K2 sites (Viewflow, K2 Designer, and SmartForms Runtime sites). If you don't use SSL you run the risk of unencrypted site traffic being intercepted.

If you configure all K2 sites to use SSL (HTTPS protocol), K2 recommends setting cookies as secure (described below). Using secure cookies prevents sending authentication and other cookies over unencrypted HTTP. Enabling secure cookies applies to the following cookies sent by K2 sites:

.K2Auth
FedAuth
XSRFCookie
AspxAutoDetectCookieSupport

If your environment is not using HTTPS bindings to access Smartforms or Viewflow, you should reconfigure your bindings to use SSL to benefit from the added security in K2 Five.

Possible errors in mixed-protocol environments

In environments using both SSL and non-SSL bindings, cookies may be incorrectly set to secure. For example, the Designer site is set to HTTP but the runtime site is set to HTTPS. If accessing the site over HTTP when cookies are set to secure, the following issues will occur.

If you open the runtime site (configured for HTTPS) first and then open the Designer site, you get redirected to the login page. If you are using Windows STS you see a blank page that is stuck in a loop trying to authenticate you. If you are using Forms STS, you are redirected to the login page where you can enter credentials but you are returned to this page even if you submit valid credentials.

If you do encounter these issues you must disable secure cookies.

Enable or disable secure cookies

To enable or disable secure cookies, you must change the web.config file in the sections mentioned below, of each site:

Viewflow: [K2 installation folder]\WebServices\Viewflow\
K2 Designer: [K2 installation folder]\K2 SmartForms Designer\
SmartForms Runtime site: [K2 installation folder]\K2 SmartForms Runtime\

Set the requireSSL value to either true or false to enable or disable secure cookies respectively:

<system.identityModel.services>
<federationConfiguration>
<cookieHandler requireSsl="true" path="/" />
<authentication mode="Forms">
<forms defaultUrl="Default.aspx" loginUrl="_trust/Login.aspx" requireSSL="true" enableCrossAppRedirects="true" cookieless="AutoDetect" timeout="9000" />

Add or edit the following setting under the <system.web> element:

<system.web>
<httpCookies requireSSL="true"/>

Save the web.config file, clear your browser cache and open the site again. Cookies are now secure.

For information on Strict-Transport-Security see the topic K2 Site Configuration.