Enabling secure cookies for K2 sites
The product uses SSL (HTTPS) when configuring K2 sites (Viewflow, Designer, and SmartForms Runtime sites). If you don't use SSL you run the risk of unencrypted site traffic being intercepted.
If you configure all K2 sites to use SSL (HTTPS), we recommend setting cookies as secure. Using secure cookies prevents sending authentication and other cookies over unencrypted HTTP connections. Enabling secure cookies applies to the following cookies set by K2 sites:
- .K2Auth
- FedAuth
- XSRFCookie
- AspxAutoDetectCookieSupport
Possible errors in mixed-protocol environments
In environments that use both SSL and non-SSL bindings, cookies may be incorrectly set to secure.
For example, suppose that the Designer site is set to HTTP, but the Runtime site is set to HTTPS. Now suppose that you open the runtime site (configured for HTTPS) first and then open the Designer site (configured for HTTP), and you get redirected to the login page. If you are using Windows STS you see a blank page that is stuck in a loop trying to authenticate you. If you are using Forms STS, you are redirected to the login page where you can enter credentials, but you are returned to this page even if you submit valid credentials
If you do encounter these issues you must disable secure cookies.
Enable or disable secure cookies
To enable or disable secure cookies, you must change the web.config file in the sections mentioned below, for each K2 site listed below:
- Viewflow: [K2 installation folder]\WebServices\Viewflow\
- Designer: [K2 installation folder]\K2 SmartForms Designer\
- SmartForms Runtime site: [K2 installation folder]\K2 SmartForms Runtime\
Set the requireSSL value to true to enable secure cookies, or set the requireSSL value to false to disable secure cookies:
<system.identityModel.services>
<federationConfiguration>
<cookieHandler requireSsl="true" path="/" />
<authentication mode="Forms">
<forms defaultUrl="Default.aspx" loginUrl="_trust/Login.aspx" requireSSL="true" enableCrossAppRedirects="true" cookieless="AutoDetect" timeout="9000" />
Add or edit the following setting under the <system.web> element:
<system.web>
<httpCookies requireSSL="true"/>
Save the web.config file, clear your browser cache and open the site again. Cookie security should be set according to the configuration you used.
For information on Strict-Transport-Security see the topic K2 Site Configuration.