Forms Authentication with http/https

Discussion in 'ASP .Net Security' started by Holysmoke, Sep 29, 2004.

  1. Holysmoke

    Holysmoke Guest

    Hi,

    I am trying to implement Single Sign On solution to my web applications.

    I have developed a web application which does authenticaion and it is SSL
    based.
    I am having a problem when redirecting to the requested web site(http based)
    after authentication (https based)

    Let us say I have

    Site A - An application (configured to do forms authentication on Site B)
    Site B - An application which does authentication which is https based

    I try to redirect in site B using,

    System.Web.Security.FormsAuthentication.RedirectFromLoginPage("test", False)

    It works but one problem.

    After Authentication the Site B tries to redirect to the application A but
    still uses https and not http as expected.


    I appreciated your help,

    -Holy
     
    Holysmoke, Sep 29, 2004
    #1
    1. Advertising

  2. Holysmoke

    Paul Clement Guest

    On Wed, 29 Sep 2004 07:27:03 -0700, Holysmoke <> wrote:

    ¤ Hi,
    ¤
    ¤ I am trying to implement Single Sign On solution to my web applications.
    ¤
    ¤ I have developed a web application which does authenticaion and it is SSL
    ¤ based.
    ¤ I am having a problem when redirecting to the requested web site(http based)
    ¤ after authentication (https based)
    ¤
    ¤ Let us say I have
    ¤
    ¤ Site A - An application (configured to do forms authentication on Site B)
    ¤ Site B - An application which does authentication which is https based
    ¤
    ¤ I try to redirect in site B using,
    ¤
    ¤ System.Web.Security.FormsAuthentication.RedirectFromLoginPage("test", False)
    ¤
    ¤ It works but one problem.
    ¤
    ¤ After Authentication the Site B tries to redirect to the application A but
    ¤ still uses https and not http as expected.
    ¤

    RedirectFromLoginPage uses the protocol of the login page application. You may want to consider
    using SSL on your login page if you're implementing Forms based authentication with SSL
    applications.


    Paul ~~~
    Microsoft MVP (Visual Basic)
     
    Paul Clement, Sep 29, 2004
    #2
    1. Advertising

  3. Holysmoke

    Holysmoke Guest

    Sorry . I don't understand. May be I have not clearly explained the problem

    FormsAuthentication.RedirectFromLoginPage methods redirects to original
    requested web site / application but it does not care about the http/https

    For eg.

    The orginal requested is not http based
    and the application that issues FormsAuthentcation.RedirectFromLoginPage is
    SSL based, it redirects to the correct original requested page but the
    protocol is still SSL and not just http as expected. Hope I have explained
    correctly.

    What is the work around for this?

    TIA,
    Holy

    "Paul Clement" wrote:

    > On Wed, 29 Sep 2004 07:27:03 -0700, Holysmoke <> wrote:
    >
    > ¤ Hi,
    > ¤
    > ¤ I am trying to implement Single Sign On solution to my web applications.
    > ¤
    > ¤ I have developed a web application which does authenticaion and it is SSL
    > ¤ based.
    > ¤ I am having a problem when redirecting to the requested web site(http based)
    > ¤ after authentication (https based)
    > ¤
    > ¤ Let us say I have
    > ¤
    > ¤ Site A - An application (configured to do forms authentication on Site B)
    > ¤ Site B - An application which does authentication which is https based
    > ¤
    > ¤ I try to redirect in site B using,
    > ¤
    > ¤ System.Web.Security.FormsAuthentication.RedirectFromLoginPage("test", False)
    > ¤
    > ¤ It works but one problem.
    > ¤
    > ¤ After Authentication the Site B tries to redirect to the application A but
    > ¤ still uses https and not http as expected.
    > ¤
    >
    > RedirectFromLoginPage uses the protocol of the login page application. You may want to consider
    > using SSL on your login page if you're implementing Forms based authentication with SSL
    > applications.
    >
    >
    > Paul ~~~
    > Microsoft MVP (Visual Basic)
    >
     
    Holysmoke, Sep 30, 2004
    #3
  4. Holy,

    The behaviour that you describe is by desing so Forms will use the protocol
    of your login page as Paul wrote.
    If you still want to switch to http (althought I would not recomend you
    because of the replay attacks to the Forms cookie), you may use this code:

    Response.Redirect( FormsAuthentication.GetRedirectUrl( "userName",
    false ) );

    Regards.

    PD: If you want to read about SSO with Forms auth, here are some post about
    that.
    http://weblogs.asp.net/hernandl/archive/2004/06/09/ssoformsauth.aspx

    --
    Hernan de Lahitte
    Lagash Systems S.A.
    http://www.lagash.com
    http://weblogs.asp.net/hernandl


    "Holysmoke" <> escribió en el mensaje
    news:...
    > Sorry . I don't understand. May be I have not clearly explained the
    > problem
    >
    > FormsAuthentication.RedirectFromLoginPage methods redirects to original
    > requested web site / application but it does not care about the http/https
    >
    > For eg.
    >
    > The orginal requested is not http based
    > and the application that issues FormsAuthentcation.RedirectFromLoginPage
    > is
    > SSL based, it redirects to the correct original requested page but the
    > protocol is still SSL and not just http as expected. Hope I have explained
    > correctly.
    >
    > What is the work around for this?
    >
    > TIA,
    > Holy
    >
    > "Paul Clement" wrote:
    >
    >> On Wed, 29 Sep 2004 07:27:03 -0700, Holysmoke
    >> <> wrote:
    >>
    >> ¤ Hi,
    >> ¤
    >> ¤ I am trying to implement Single Sign On solution to my web
    >> applications.
    >> ¤
    >> ¤ I have developed a web application which does authenticaion and it is
    >> SSL
    >> ¤ based.
    >> ¤ I am having a problem when redirecting to the requested web site(http
    >> based)
    >> ¤ after authentication (https based)
    >> ¤
    >> ¤ Let us say I have
    >> ¤
    >> ¤ Site A - An application (configured to do forms authentication on Site
    >> B)
    >> ¤ Site B - An application which does authentication which is https based
    >> ¤
    >> ¤ I try to redirect in site B using,
    >> ¤
    >> ¤ System.Web.Security.FormsAuthentication.RedirectFromLoginPage("test",
    >> False)
    >> ¤
    >> ¤ It works but one problem.
    >> ¤
    >> ¤ After Authentication the Site B tries to redirect to the application A
    >> but
    >> ¤ still uses https and not http as expected.
    >> ¤
    >>
    >> RedirectFromLoginPage uses the protocol of the login page application.
    >> You may want to consider
    >> using SSL on your login page if you're implementing Forms based
    >> authentication with SSL
    >> applications.
    >>
    >>
    >> Paul ~~~
    >> Microsoft MVP (Visual Basic)
    >>
     
    Hernan de Lahitte, Oct 1, 2004
    #4
  5. Holysmoke

    Paul Clement Guest

    On Thu, 30 Sep 2004 01:43:01 -0700, Holysmoke <> wrote:

    ¤ Sorry . I don't understand. May be I have not clearly explained the problem
    ¤
    ¤ FormsAuthentication.RedirectFromLoginPage methods redirects to original
    ¤ requested web site / application but it does not care about the http/https
    ¤
    ¤ For eg.
    ¤
    ¤ The orginal requested is not http based
    ¤ and the application that issues FormsAuthentcation.RedirectFromLoginPage is
    ¤ SSL based, it redirects to the correct original requested page but the
    ¤ protocol is still SSL and not just http as expected. Hope I have explained
    ¤ correctly.
    ¤
    ¤ What is the work around for this?
    ¤

    If I understand what you are saying, the protocol is not changing from https to http after
    performing the redirect. This behavior is correct in that RedirectFromLoginPage uses the current
    protocol. If the current protocol is https the page being redirected to will be https, not http.

    If you want to change the protocol from https to http, or vice versa, then you would have to use
    Response.Redirect instead.


    Paul ~~~
    Microsoft MVP (Visual Basic)
     
    Paul Clement, Oct 1, 2004
    #5
  6. Holysmoke

    Holysmoke Guest

    Response.Redirect(FormsAuthentication.GetRedirectUrl(..)) does not redirect
    to my http location instead it redirects to the https location. This
    confuses me a lot. Whether I have to take care of this my code to get
    redirected orginally in http location or it is taken care already?! :(

    See take the example of our newsgroup. We are requested to signin with
    passport with https and after successful authentication we are redirected to
    our newgroups which is http based.

    The same behaviour applies to FormsAuthentication or not?!

    I appreciate your help,

    Holy

    "Paul Clement" wrote:

    > On Thu, 30 Sep 2004 01:43:01 -0700, Holysmoke <> wrote:
    >
    > ¤ Sorry . I don't understand. May be I have not clearly explained the problem
    > ¤
    > ¤ FormsAuthentication.RedirectFromLoginPage methods redirects to original
    > ¤ requested web site / application but it does not care about the http/https
    > ¤
    > ¤ For eg.
    > ¤
    > ¤ The orginal requested is not http based
    > ¤ and the application that issues FormsAuthentcation.RedirectFromLoginPage is
    > ¤ SSL based, it redirects to the correct original requested page but the
    > ¤ protocol is still SSL and not just http as expected. Hope I have explained
    > ¤ correctly.
    > ¤
    > ¤ What is the work around for this?
    > ¤
    >
    > If I understand what you are saying, the protocol is not changing from https to http after
    > performing the redirect. This behavior is correct in that RedirectFromLoginPage uses the current
    > protocol. If the current protocol is https the page being redirected to will be https, not http.
    >
    > If you want to change the protocol from https to http, or vice versa, then you would have to use
    > Response.Redirect instead.
    >
    >
    > Paul ~~~
    > Microsoft MVP (Visual Basic)
    >
     
    Holysmoke, Oct 5, 2004
    #6
  7. Unfortunately FormsAuthentication does not have the same behavior as
    passports.
    Here you will have to "manually" switch protocols (from https to http) and
    use the Response.Redirect below:

    UriBuilder uri = new UriBuilder( Uri.UriSchemeHttp, Request.Url.Host );
    uri.Path = FormsAuthentication.GetRedirectUrl( "userName", false );
    Response.Redirect( uri.ToString() );

    NOTE: Remember to use attr: requireSSL="false" in <forms> config section.

    I hope this help you.

    --
    Hernan de Lahitte
    Lagash Systems S.A.
    http://www.lagash.com
    http://weblogs.asp.net/hernandl

    "Holysmoke" <> escribió en el mensaje
    news:...
    > Response.Redirect(FormsAuthentication.GetRedirectUrl(..)) does not
    > redirect
    > to my http location instead it redirects to the https location. This
    > confuses me a lot. Whether I have to take care of this my code to get
    > redirected orginally in http location or it is taken care already?! :(
    >
    > See take the example of our newsgroup. We are requested to signin with
    > passport with https and after successful authentication we are redirected
    > to
    > our newgroups which is http based.
    >
    > The same behaviour applies to FormsAuthentication or not?!
    >
    > I appreciate your help,
    >
    > Holy
    >
    > "Paul Clement" wrote:
    >
    >> On Thu, 30 Sep 2004 01:43:01 -0700, Holysmoke
    >> <> wrote:
    >>
    >> ¤ Sorry . I don't understand. May be I have not clearly explained the
    >> problem
    >> ¤
    >> ¤ FormsAuthentication.RedirectFromLoginPage methods redirects to original
    >> ¤ requested web site / application but it does not care about the
    >> http/https
    >> ¤
    >> ¤ For eg.
    >> ¤
    >> ¤ The orginal requested is not http based
    >> ¤ and the application that issues
    >> FormsAuthentcation.RedirectFromLoginPage is
    >> ¤ SSL based, it redirects to the correct original requested page but the
    >> ¤ protocol is still SSL and not just http as expected. Hope I have
    >> explained
    >> ¤ correctly.
    >> ¤
    >> ¤ What is the work around for this?
    >> ¤
    >>
    >> If I understand what you are saying, the protocol is not changing from
    >> https to http after
    >> performing the redirect. This behavior is correct in that
    >> RedirectFromLoginPage uses the current
    >> protocol. If the current protocol is https the page being redirected to
    >> will be https, not http.
    >>
    >> If you want to change the protocol from https to http, or vice versa,
    >> then you would have to use
    >> Response.Redirect instead.
    >>
    >>
    >> Paul ~~~
    >> Microsoft MVP (Visual Basic)
    >>
     
    Hernan de Lahitte, Oct 5, 2004
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Eric
    Replies:
    2
    Views:
    1,562
    Tommy
    Feb 13, 2004
  2. Alfredo Barrientos
    Replies:
    0
    Views:
    548
    Alfredo Barrientos
    Aug 31, 2005
  3. Guest
    Replies:
    4
    Views:
    382
  4. Eric
    Replies:
    2
    Views:
    643
  5. Naveen Dhanuka
    Replies:
    1
    Views:
    319
Loading...

Share This Page