The fix for the ASP.NET Security Bug is now available on Windows Update

The fix for the ASP.NET  security bug is now available in windows update. However, the change has a negative side effect for the current release of mojoPortal which may cause authenticated users to experience an error on your site. The error occurs when trying to decrypt the role cookie which was encrypted before the update was applied. Previously, if there was an error decrypting a role cookie, it was throwing a System.Security.Cryptography.CrypotgraphicException (which we were handling so the user would not experience any error). After the windows update it now throws a more generic HttpException which the current release does not handle so the user will see the error page, and the only way to solve it is to clear the cookie. I have added handling for the changed error for the next release of mojoPortal, but you may begin seeing this error after you or your host applies the security fix.

There is one workaround you can do right away to solve this problem, you can add code to the ErrorPage.aspx in the root to clear the role cookie so that at least the user will only see the error page one time. To do this, edit the ErrorPage.aspx file with a text editor. At the top add this:

<%@ Import Namespace="mojoPortal.Business" %>
<%@ Import Namespace="mojoPortal.Business.WebHelpers" %>
<%@ Import Namespace="mojoPortal.Web" %>

then add this code to the bottom of the Page_Load event:

after this existing line of code:

if (disposable != null) { disposable.Dispose(); }

add this:

try
        {
            SiteSettings siteSettings = CacheHelper.GetCurrentSiteSettings();
            if (siteSettings != null)
            {
                string roleCookieName = SiteUtils.GetRoleCookieName(siteSettings);
                HttpCookie roleCookie = new HttpCookie(roleCookieName, string.Empty);
                roleCookie.HttpOnly = true;
                roleCookie.Path = "/";
                HttpContext.Current.Response.Cookies.Add(roleCookie);
            }
        }
        catch{}

Gravatar Joe Audette is the founder of the mojoPortal project and was the primary developer until February 2017.