SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser.

 

The RequireSSL property value is set in the configuration file for an ASP.NET application by using the requireSSL attribute of the form configuration element. You can specify in the web.config file for your ASP.NET application whether SSL (Secure Sockets Layer) is required to returns the forms-authentication cookie to the server by setting the requireSSL attribute . 

 

In FTP Attachments® web.config, make RequireSSL and ForceSSLLogin attribute true (Refer Figure 1.1 and Figure 1.2). If user changes RequireSSL and ForceSSLLogin attribute as true, only if user is required to return the forms-authentication cookie to the server, the default value will be false. To perform the above changes user requires SSL Certificate.  

 

Along with the RequireSSL and ForceSSLLogin, please change the key value in appSettings tag which creates the log
(Refer Figure 1.1 and Figure 1.2). The default value of ShowDebugLog, ShowExceptiontoEndUser, ShowAPICallLog is true. To test FTP Attachments® application for SQL injection vulnerabilities user has to change the value to false(Refer Figure 1.1). Since while log writing the respecting method is been called and user will get SQL injection vulnerabilities issues. Hence to avoid that please make the respective values falseIn case of Standalone users this issue will not arise as the user will install the package on your own Application server and so the settings for logs will depend on the users requirement.




                                                          Figure 1.1 Modification in appSettings tag



                                                                         Figure 1.2 Modification in requireSSL



It is recommended that if you configure requireSSL as false, you also configure slidingExpiration as false, to reduce the amount of time for which a ticket is valid.

Note : true if SSL is required to return the forms-authentication cookie to the server, otherwise, false. The default is false.