Authenticate users in https virtual directory and get authenticateduser back

[manuel.ricca]

Hello all,

I am trying to create a virtual directory where a user can
authenticate securely (via SSL) and then get back to the normal HTTP
site.
First I created a new virtual directory called members and required
SSL for it. I created a new ASP.NET application at members and put the
necessary stuff in web.config:

<system.web>
<authentication mode="Forms" />
<compilation defaultLanguage="c#" />
<authorization>
<allow roles="Customer"/>
<deny users="*"/>
</authorization>
</system.web>

This works but when a user goes back to the HTTP site I don't get
anything in Page.User.Idenitity.
So I tried putting everything back in the main application (removed
the members application from IIS) and added this to the main
web.config:

<authentication mode="Forms">
<forms loginUrl="https://server/members/login.aspx"/>
</authentication>
<location path="members">
<system.web>
<authentication mode="Forms"/>
<authorization>
<allow roles="Customer"/>
<deny users="*"/>
</authorization>
</system.web>
</location>

However, members is only accessible via HTTPS and the location doesn't
apply (because it's only expecting http://server/members and not
https://server/members). This means that the user won't get redirected
to my login URL. It is not allowed to put an absolute URL in location
tags (which would be <location path="https://server/members"> so it
seems I'm stuck.

Does anyonone have a solution for this? I'm thinking of getting back
to the 2 applications solution and passing the user information to the
HTTP site somehow (any ideas?).

Thanks in advance,

Manuel Ricca

 

[Manuel Ricca]

Hello all,

I am trying to create a virtual directory where a user can
authenticate securely (via SSL) and then get back to the normal HTTP
site.
First I created a new virtual directory called members and required
SSL for it. I created a new ASP.NET application at members and put the
necessary stuff in web.config:

<system.web>
<authentication mode="Forms" />
<compilation defaultLanguage="c#" />
<authorization>
<allow roles="Customer"/>
<deny users="*"/>
</authorization>
</system.web>

This works but when a user goes back to the HTTP site I don't get
anything in Page.User.Idenitity.
So I tried putting everything back in the main application (removed
the members application from IIS) and added this to the main
web.config:

<authentication mode="Forms">
<forms loginUrl="https://server/members/login.aspx"/>
</authentication>
<location path="members">
<system.web>
<authentication mode="Forms"/>
<authorization>
<allow roles="Customer"/>
<deny users="*"/>
</authorization>
</system.web>
</location>

However, members is only accessible via HTTPS and the location doesn't
apply (because it's only expectinghttp://server/membersand nothttps://server/members). This means that the user won't get redirected
to my login URL. It is not allowed to put an absolute URL in location
tags (which would be <location path="https://server/members"> so it
seems I'm stuck.

Does anyonone have a solution for this? I'm thinking of getting back
to the 2 applications solution and passing the user information to the
HTTP site somehow (any ideas?).

Thanks in advance,

ManuelRicca

In case anyone reads this I think it might help.

I finally got it working. Login.aspx must be outside the protected
members directory. I had just assumed that .NET would bypass
membership enforcement for loginURL but it doesn't. So I guess it
wasn't allowing access to login.aspx because login.aspx itself was in
the location allowed only for a certain role (and for which it was
configured as loginURL).

Manuel Ricca