Redirect from secure server to unsecure server after login.

Discussion in 'ASP .Net Security' started by RedEye, Jan 24, 2006.

  1. RedEye

    RedEye Guest

    Hello,

    What I am shooting for is this. I have an asp.net application living on a
    web farm and I want to have the user sent to a secure server to handle
    logins and updating private information.

    What I have done so far is add the machineKey values to the web.config on
    all instances of the application in the web farm and in the secured server
    version. I am also using sql server to handle session state.

    When the user enters the site and is not authenticated they are redirected
    (response.redirect("..."))to the secure server to login. Once the user is
    authenticated they are then redirected back to the web farm unsecured
    version.

    When the user successfully logs in I set a persistent cookie
    FormsAuthentication.RedirectFromLoginPage(Login1.UserName, True)

    Once the user lands back on the unsecured site the user is no longer
    authenticated.

    I have tested this on my local dev machine and jumping from secure to
    unsecured works fine.

    The test environment is going between
    https://localhost/MyApp and http://localhost:3254/MyApp
    Both on the same machine

    The production environment is going between
    https://secure.mydomain.com and http://MyApp.mydomain.com (Web Farm)

    Is there something I forgot to do?

    Thanks for any help!
    Red
    RedEye, Jan 24, 2006
    #1
    1. Advertising

  2. Hi,

    OK - this is a cookie problem. If the cookie is placed by "server1.domain.com"
    - it won't be sent to "server2.domain.com" - this is defined in RFC.

    To make this possible, you have to set the domain property in forms authentication
    to ".domain.com" (notice the dot at the beginning) - this should fix the
    problem.

    BUT - if you login through a secured area - thats fine - after login you
    get the authentication cookie - if you now switch back to an unsecured area
    - the auth cookie will still be sent back and forth - anyone you can sniff
    the traffic can easily steal the auth cookie. This is not recommended practice.

    This is why there is a requireSSL attribute in forms auth config - which
    makes sure that cookies are only sent across SSL connections.

    > Hello,
    >
    > What I am shooting for is this. I have an asp.net application living
    > on a web farm and I want to have the user sent to a secure server to
    > handle logins and updating private information.
    >
    > What I have done so far is add the machineKey values to the web.config
    > on all instances of the application in the web farm and in the secured
    > server version. I am also using sql server to handle session state.
    >
    > When the user enters the site and is not authenticated they are
    > redirected (response.redirect("..."))to the secure server to login.
    > Once the user is authenticated they are then redirected back to the
    > web farm unsecured version.
    >
    > When the user successfully logs in I set a persistent cookie
    > FormsAuthentication.RedirectFromLoginPage(Login1.UserName, True)
    >
    > Once the user lands back on the unsecured site the user is no longer
    > authenticated.
    >
    > I have tested this on my local dev machine and jumping from secure to
    > unsecured works fine.
    >
    > The test environment is going between
    > https://localhost/MyApp and http://localhost:3254/MyApp
    > Both on the same machine
    > The production environment is going between
    > https://secure.mydomain.com and http://MyApp.mydomain.com (Web Farm)
    > Is there something I forgot to do?
    >
    > Thanks for any help!
    > Red
    Dominick Baier [DevelopMentor], Jan 25, 2006
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Stephen Bartholomew

    Passing user from unsecure to secure domain in asp.net

    Stephen Bartholomew, Jan 28, 2004, in forum: ASP .Net
    Replies:
    2
    Views:
    511
    Stephen Bartholomew
    Jan 29, 2004
  2. =?Utf-8?B?TVIuIFVOREVSSElMTA==?=

    Mixing secure and unsecure pages with Forms Authentication

    =?Utf-8?B?TVIuIFVOREVSSElMTA==?=, May 27, 2004, in forum: ASP .Net
    Replies:
    4
    Views:
    4,952
    =?Utf-8?B?TVIuIFVOREVSSElMTA==?=
    May 27, 2004
  3. Michael

    PDF secure/unsecure

    Michael, Feb 24, 2004, in forum: Java
    Replies:
    2
    Views:
    7,458
    Jayaram
    Feb 25, 2004
  4. Jonas Daunoravicius
    Replies:
    5
    Views:
    147
    Jonas Daunoravicius
    Jan 19, 2004
  5. Raven
    Replies:
    0
    Views:
    138
    Raven
    Nov 7, 2008
Loading...

Share This Page