Forms Authentication with http/https

[Holysmoke]

Hi,

I am trying to implement Single Sign On solution to my web applications.

I have developed a web application which does authenticaion and it is SSL
based.
I am having a problem when redirecting to the requested web site(http based)
after authentication (https based)

Let us say I have

Site A - An application (configured to do forms authentication on Site B)
Site B - An application which does authentication which is https based

I try to redirect in site B using,

System.Web.Security.FormsAuthentication.RedirectFromLoginPage("test", False)

It works but one problem.

After Authentication the Site B tries to redirect to the application A but
still uses https and not http as expected.


I appreciated your help,

-Holy

 

[Paul Clement]

¤ Hi,
¤
¤ I am trying to implement Single Sign On solution to my web applications.
¤
¤ I have developed a web application which does authenticaion and it is SSL
¤ based.
¤ I am having a problem when redirecting to the requested web site(http based)
¤ after authentication (https based)
¤
¤ Let us say I have
¤
¤ Site A - An application (configured to do forms authentication on Site B)
¤ Site B - An application which does authentication which is https based
¤
¤ I try to redirect in site B using,
¤
¤ System.Web.Security.FormsAuthentication.RedirectFromLoginPage("test", False)
¤
¤ It works but one problem.
¤
¤ After Authentication the Site B tries to redirect to the application A but
¤ still uses https and not http as expected.
¤

RedirectFromLoginPage uses the protocol of the login page application. You may want to consider
using SSL on your login page if you're implementing Forms based authentication with SSL
applications.


Paul ~~~ (e-mail address removed)
Microsoft MVP (Visual Basic)

 

[Holysmoke]

Sorry . I don't understand. May be I have not clearly explained the problem

FormsAuthentication.RedirectFromLoginPage methods redirects to original
requested web site / application but it does not care about the http/https

For eg.

The orginal requested is not http based
and the application that issues FormsAuthentcation.RedirectFromLoginPage is
SSL based, it redirects to the correct original requested page but the
protocol is still SSL and not just http as expected. Hope I have explained
correctly.

What is the work around for this?

TIA,
Holy

 

[Hernan de Lahitte]

Holy,

The behaviour that you describe is by desing so Forms will use the protocol
of your login page as Paul wrote.
If you still want to switch to http (althought I would not recomend you
because of the replay attacks to the Forms cookie), you may use this code:

Response.Redirect( FormsAuthentication.GetRedirectUrl( "userName",
false ) );

Regards.

PD: If you want to read about SSO with Forms auth, here are some post about
that.
http://weblogs.asp.net/hernandl/archive/2004/06/09/ssoformsauth.aspx

 

[Paul Clement]

¤ Sorry . I don't understand. May be I have not clearly explained the problem
¤
¤ FormsAuthentication.RedirectFromLoginPage methods redirects to original
¤ requested web site / application but it does not care about the http/https
¤
¤ For eg.
¤
¤ The orginal requested is not http based
¤ and the application that issues FormsAuthentcation.RedirectFromLoginPage is
¤ SSL based, it redirects to the correct original requested page but the
¤ protocol is still SSL and not just http as expected. Hope I have explained
¤ correctly.
¤
¤ What is the work around for this?
¤

If I understand what you are saying, the protocol is not changing from https to http after
performing the redirect. This behavior is correct in that RedirectFromLoginPage uses the current
protocol. If the current protocol is https the page being redirected to will be https, not http.

If you want to change the protocol from https to http, or vice versa, then you would have to use
Response.Redirect instead.


Paul ~~~ (e-mail address removed)
Microsoft MVP (Visual Basic)

 

[Holysmoke]

Response.Redirect(FormsAuthentication.GetRedirectUrl(..)) does not redirect
to my http location instead it redirects to the https location. This
confuses me a lot. Whether I have to take care of this my code to get
redirected orginally in http location or it is taken care already?!

See take the example of our newsgroup. We are requested to signin with
passport with https and after successful authentication we are redirected to
our newgroups which is http based.

The same behaviour applies to FormsAuthentication or not?!

I appreciate your help,

Holy

 

[Hernan de Lahitte]

Unfortunately FormsAuthentication does not have the same behavior as
passports.
Here you will have to "manually" switch protocols (from https to http) and
use the Response.Redirect below:

UriBuilder uri = new UriBuilder( Uri.UriSchemeHttp, Request.Url.Host );
uri.Path = FormsAuthentication.GetRedirectUrl( "userName", false );
Response.Redirect( uri.ToString() );

NOTE: Remember to use attr: requireSSL="false" in <forms> config section.

I hope this help you.