SecurityAttributes Enumeration |
Namespace: NetQuarry.Security
Assembly: EAP.Core (in EAP.Core.dll) Version: 2.0.0.0 (4.6.8.0)
SyntaxMembers| Member name | Value | Description | |
|---|---|---|---|
| PasswordCaseSensitive | 1 | Password should be case sensitive. | |
| UserCaseSensitive | 2 | UserID should be case sensitive. | |
| ResetSendPassword | 4 | During reset, send a clear-text password. | |
| AllowPasswordCredentialCache | 8 | Allow password credential caching on the clinet. | |
| AllowUserCredentialCache | 16 | Allow user ID credential caching on the clinet. | |
| StrictMode | 32 | The application should be run in the 'strict' security mode. See IsStrictMode. | |
| NoAutoComplete | 64 | Disables browser autoComplete for entire application. | |
| NoBrowserPageCaching | 128 | Set a Cache-Control response header for all pages to disallow both caching and storing. | |
| ForceSecretQAChangeOnForcedPwdChange | 256 | When set, a forced password change on the user will also force the user to change his secret question and answer. | |
| RestrictDisabledOrPwdChangeUserNav | 512 | Navigation should be restricted if the user is disabled or being forced to change his password (that is Disabled and/or ForcePasswordChange is set). In particular, the application Appbar, FooterBar, and Navbar should be suppressed. | |
| NoCSRFToken | 1024 |
Disables the use of an anti-Cross-Site Request Forgery (CSRF) token.
Note that for postbacks EncryptViewState provides much the same protection as using an anti-CSRF. The two techniques may be used together.
A good CSRF overview can be found at
Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet
which describes CSRF thusly:
Cross-Site Request Forgery (CSRF) is a type of attack that occurs when a malicious web site, email, blog, instant message, or program causes a user’s web browser to perform an unwanted action on a trusted site for which the user is currently authenticated. The impact of a successful CSRF attack is limited to the capabilities exposed by the vulnerable application. For example, this attack could result in a transfer of funds, changing a password, or purchasing an item in the user's context. In effect, CSRF attacks are used by an attacker to make a target system perform a function via the target's browser without knowledge of the target user, at least until the unauthorized transaction has been committed. | |
| ResetSkipLoginAfterChange | 2048 | After performing a password reset, the user should be allowed to enter directly into the application without forcing a re-login. Currently this is supported when the ResetPasswordPage uses the standard ChangePassword component. | |
| SecureCookies | 4096 | When set, platform HTTP cookies will be created as secure cookies if created during a secure request (e.g. typically NOT during localhost development). A secure cookie can only be transmitted over an encrypted connection (i.e. HTTPS). They cannot be transmitted over unencrypted connections (i.e. HTTP). This makes the cookie less likely to be exposed to cookie theft via eavesdropping. A cookie is made secure by adding the Secure flag to the cookie. | |
| EncryptViewState | 8192 | When set, the page __VIEWSTATE will be encrypted using a user-specific encryption key for additional security. Requires that the ViewState be compressed so the NoViewStateCompression application property must not be set. Encrypting the ViewState can provide additional security against Cross-Site Request Forgery (CSRF) attacks. Note that .Net provides some built-in support for encrypting ViewState (see the Encrypting the View State section in Understanding ASP.NET View State). Also note that the unless the NoCSRFToken security attribute is set the platform will include an anti-CSRF token in every form. For postbacks the anti-CSRF token provides much the same protection as encrypting the ViewState. The two techniques may be used together. |
See Also