Redirect from secure server to unsecure server after login.

R

RedEye

Hello,

What I am shooting for is this. I have an asp.net application living on a
web farm and I want to have the user sent to a secure server to handle
logins and updating private information.

What I have done so far is add the machineKey values to the web.config on
all instances of the application in the web farm and in the secured server
version. I am also using sql server to handle session state.

When the user enters the site and is not authenticated they are redirected
(response.redirect("..."))to the secure server to login. Once the user is
authenticated they are then redirected back to the web farm unsecured
version.

When the user successfully logs in I set a persistent cookie
FormsAuthentication.RedirectFromLoginPage(Login1.UserName, True)

Once the user lands back on the unsecured site the user is no longer
authenticated.

I have tested this on my local dev machine and jumping from secure to
unsecured works fine.

The test environment is going between
https://localhost/MyApp and http://localhost:3254/MyApp
Both on the same machine

The production environment is going between
https://secure.mydomain.com and http://MyApp.mydomain.com (Web Farm)

Is there something I forgot to do?

Thanks for any help!
Red
 
D

Dominick Baier [DevelopMentor]

Hi,

OK - this is a cookie problem. If the cookie is placed by "server1.domain.com"
- it won't be sent to "server2.domain.com" - this is defined in RFC.

To make this possible, you have to set the domain property in forms authentication
to ".domain.com" (notice the dot at the beginning) - this should fix the
problem.

BUT - if you login through a secured area - thats fine - after login you
get the authentication cookie - if you now switch back to an unsecured area
- the auth cookie will still be sent back and forth - anyone you can sniff
the traffic can easily steal the auth cookie. This is not recommended practice.

This is why there is a requireSSL attribute in forms auth config - which
makes sure that cookies are only sent across SSL connections.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,743
Messages
2,569,478
Members
44,898
Latest member
BlairH7607

Latest Threads

Top