SSL and Forms Authentication

Discussion in 'ASP .Net Security' started by Scott, Feb 18, 2004.

  1. Scott

    Scott Guest

    Hi,

    I've seen this problem posted a few times around the 'net with no answer.
    Hopefully someone here can help.

    We have our website configured to use Forms Authentication. We want to
    secure the Login page ONLY using SSL. When a user goes to the site he is
    redirected to the Login page for authentication, but gets an error saying
    the resource is protected and they must use HTTPS:.

    That's ugly, since the redirect should be transparent to the user.

    When we setup the <forms> tag we have tried using the full path in the
    loginUrl property, including 'httpS://'. When we do this the user doesn't
    get the message about HTTPS, but he DOES get an NT Authentication login
    dialog instead.

    Thats even uglier and I'm not even sure why that happens.

    Documentation and books I've read allude to the abiltiy to secure a single
    folder or page using SSL and the login redirection works. Those same
    documents and books don't say HOW to make it work and we haven't been able
    to either.

    Is it even possible to do this? Has anyone here done it successfully?

    Scott L.
     
    Scott, Feb 18, 2004
    #1
    1. Advertising

  2. Scott

    Paul Glavich Guest

    Perhaps you could try and put some code in the Application_Authenticate
    event that checks to see if the user is already authenticated, if not, then
    issue a manual redirect to your HTTPS login page.

    --
    - Paul Glavich


    "Scott" <no_email_at_all> wrote in message
    news:...
    > Hi,
    >
    > I've seen this problem posted a few times around the 'net with no answer.
    > Hopefully someone here can help.
    >
    > We have our website configured to use Forms Authentication. We want to
    > secure the Login page ONLY using SSL. When a user goes to the site he is
    > redirected to the Login page for authentication, but gets an error saying
    > the resource is protected and they must use HTTPS:.
    >
    > That's ugly, since the redirect should be transparent to the user.
    >
    > When we setup the <forms> tag we have tried using the full path in the
    > loginUrl property, including 'httpS://'. When we do this the user doesn't
    > get the message about HTTPS, but he DOES get an NT Authentication login
    > dialog instead.
    >
    > Thats even uglier and I'm not even sure why that happens.
    >
    > Documentation and books I've read allude to the abiltiy to secure a single
    > folder or page using SSL and the login redirection works. Those same
    > documents and books don't say HOW to make it work and we haven't been able
    > to either.
    >
    > Is it even possible to do this? Has anyone here done it successfully?
    >
    > Scott L.
    >
    >
     
    Paul Glavich, Feb 19, 2004
    #2
    1. Advertising

  3. Scott

    Justin Guest

    I've been trying to figure this out too, without luck. I just work around it
    by
    redirecting to a relative aspx page from the loginurl in web.config, then
    do a response.redirect(https://www.host.com/login.aspx) from that. Messy
    but it works

    Justin

    "Scott" <no_email_at_all> wrote in message
    news:...
    > Hi,
    >
    > I've seen this problem posted a few times around the 'net with no answer.
    > Hopefully someone here can help.
    >
    > We have our website configured to use Forms Authentication. We want to
    > secure the Login page ONLY using SSL. When a user goes to the site he is
    > redirected to the Login page for authentication, but gets an error saying
    > the resource is protected and they must use HTTPS:.
    >
    > That's ugly, since the redirect should be transparent to the user.
    >
    > When we setup the <forms> tag we have tried using the full path in the
    > loginUrl property, including 'httpS://'. When we do this the user doesn't
    > get the message about HTTPS, but he DOES get an NT Authentication login
    > dialog instead.
    >
    > Thats even uglier and I'm not even sure why that happens.
    >
    > Documentation and books I've read allude to the abiltiy to secure a single
    > folder or page using SSL and the login redirection works. Those same
    > documents and books don't say HOW to make it work and we haven't been able
    > to either.
    >
    > Is it even possible to do this? Has anyone here done it successfully?
    >
    > Scott L.
    >
    >
     
    Justin, Feb 24, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?Z21hcnF1ZXo=?=

    Strange behavior using SSL and "FORMS" authentication.

    =?Utf-8?B?Z21hcnF1ZXo=?=, Jan 6, 2004, in forum: ASP .Net
    Replies:
    3
    Views:
    646
    Hermit Dave
    Jan 6, 2004
  2. Eric
    Replies:
    2
    Views:
    1,544
    Tommy
    Feb 13, 2004
  3. Marco Roello

    Forms Authentication and SSL

    Marco Roello, Jul 15, 2003, in forum: ASP .Net Security
    Replies:
    0
    Views:
    128
    Marco Roello
    Jul 15, 2003
  4. Marco Roello

    ssl with <forms authentication> and loginurl problem

    Marco Roello, Jul 21, 2003, in forum: ASP .Net Security
    Replies:
    0
    Views:
    188
    Marco Roello
    Jul 21, 2003
  5. Eric
    Replies:
    2
    Views:
    607
Loading...

Share This Page