SSL Forms Authentication Redirect - Problem Redirecting out of HTTPS

Discussion in 'ASP .Net Security' started by Guest, Aug 4, 2005.

  1. Guest

    Guest Guest

    Hello-

    I am using Forms Authentication in a load-balanced web app and am trying to
    implement SSL. My login script goes into SSL just fine. But, when I
    redirect out back to HTTP, I seem to lose my authentication context and get
    redirected back to the login page again. A few notes that may or may not be
    important: One, I am using cisco load balancing to balance two IIS
    webservers (another important note is that this works fine on our single dev
    server). The load balancer is maintaining server affinity. Two, I am
    storing my session state in SQL. I don't think that matters to Forms Auth,
    but I could be wrong. Three, my login.aspx page is in the same directory as
    the rest of my site files.

    If I remain in HTTPS, the site works just fine and I move on as expected
    from the login page. The problem only happens when I attempt to redirect
    back into HTTP where the application seems to think I am no longer
    authenticated and I recursively go back to the login page.

    Here are my web.config settings:

    <authentication mode="Forms">
    <forms name=".MYAPPLICATIONNAME">
    <loginUrl=https://www.mydomain.com/login.aspx
    protection="All"
    timeout="30"
    path="/"/>
    </authentication>

    and to allow anonymous users access to my login page:

    <location path="Login.aspx">
    <system.web>
    <authorization>
    <allow users="?"/>
    </authorization>
    </system.web>
    </location>

    After I verify credentials, my login page creates the auth cookie and
    redirects to the next page of the site via HTTP:
    // Logic to validate user

    Some authentication logic...

    // Set the auth cookie

    FormsAuthentication.SetAuthCookie(txtUsername.Text, false, string.Empty);

    // redirect out of SSL

    Response.Redirect("http://" + Request.Url.Host +
    FormsAuthentication.GetRedirectUrl(txtUsername.Text, false));


    If anyone has any insight, I'd be much obliged!

    Thanks

    Al
     
    Guest, Aug 4, 2005
    #1
    1. Advertising

  2. Hello asdasd,

    ASP.NET encrypts and signs the auth cookie. The key used for crypto must
    be the same on both machines - this is configured in the <machineKey> element
    -

    we have a tool on our website which spits out the correct XML fragment, just
    duplicate this for your machines.

    http://www.develop.com/technology/resourcedetail.aspx?id=78da5ca5-5079-4f8f-99c5-b080117ceac0

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Hello-
    >
    > I am using Forms Authentication in a load-balanced web app and am
    > trying to implement SSL. My login script goes into SSL just fine.
    > But, when I redirect out back to HTTP, I seem to lose my
    > authentication context and get redirected back to the login page
    > again. A few notes that may or may not be important: One, I am using
    > cisco load balancing to balance two IIS webservers (another important
    > note is that this works fine on our single dev server). The load
    > balancer is maintaining server affinity. Two, I am storing my session
    > state in SQL. I don't think that matters to Forms Auth, but I could
    > be wrong. Three, my login.aspx page is in the same directory as the
    > rest of my site files.
    >
    > If I remain in HTTPS, the site works just fine and I move on as
    > expected from the login page. The problem only happens when I attempt
    > to redirect back into HTTP where the application seems to think I am
    > no longer authenticated and I recursively go back to the login page.
    >
    > Here are my web.config settings:
    >
    > <authentication mode="Forms">
    > <forms name=".MYAPPLICATIONNAME">
    > <loginUrl=https://www.mydomain.com/login.aspx
    > protection="All"
    > timeout="30"
    > path="/"/>
    > </authentication>
    > and to allow anonymous users access to my login page:
    >
    > <location path="Login.aspx">
    > <system.web>
    > <authorization>
    > <allow users="?"/>
    > </authorization>
    > </system.web>
    > </location>
    > After I verify credentials, my login page creates the auth cookie and
    > redirects to the next page of the site via HTTP:
    > // Logic to validate user
    > Some authentication logic...
    >
    > // Set the auth cookie
    >
    > FormsAuthentication.SetAuthCookie(txtUsername.Text, false,
    > string.Empty);
    >
    > // redirect out of SSL
    >
    > Response.Redirect("http://" + Request.Url.Host +
    > FormsAuthentication.GetRedirectUrl(txtUsername.Text, false));
    >
    > If anyone has any insight, I'd be much obliged!
    >
    > Thanks
    >
    > Al
    >
     
    Dominick Baier [DevelopMentor], Aug 5, 2005
    #2
    1. Advertising

  3. If your load balancer isn't actually maintaining affinity in the case of
    https/http transitions, then the encryption key mentioned by Dominick may be
    the issue. However, there's also another possibility that you may want to
    rule out before investigating the possible affinity loss. Since you haven't
    set an explicit value for the requireSSL attribute of the
    authentication\forms element in your web.config file, you may be inheriting
    from a parent configuration file (e.g.: machine.config).

    That said, allowing an authentication cookie to be passed over an HTTP
    connection is generally a pretty bad idea since the cookie alone can be used
    to authenticate against your site. If it was worth protecting the original
    login information via use of HTTPS, it's worth protecting the cookie as
    well.



    <asdasd> wrote in message news:O%...
    > Hello-
    >
    > I am using Forms Authentication in a load-balanced web app and am trying
    > to implement SSL. My login script goes into SSL just fine. But, when I
    > redirect out back to HTTP, I seem to lose my authentication context and
    > get redirected back to the login page again. A few notes that may or may
    > not be important: One, I am using cisco load balancing to balance two IIS
    > webservers (another important note is that this works fine on our single
    > dev server). The load balancer is maintaining server affinity. Two, I
    > am storing my session state in SQL. I don't think that matters to Forms
    > Auth, but I could be wrong. Three, my login.aspx page is in the same
    > directory as the rest of my site files.
    >
    > If I remain in HTTPS, the site works just fine and I move on as expected
    > from the login page. The problem only happens when I attempt to redirect
    > back into HTTP where the application seems to think I am no longer
    > authenticated and I recursively go back to the login page.
    >
    > Here are my web.config settings:
    >
    > <authentication mode="Forms">
    > <forms name=".MYAPPLICATIONNAME">
    > <loginUrl=https://www.mydomain.com/login.aspx
    > protection="All"
    > timeout="30"
    > path="/"/>
    > </authentication>
    >
    > and to allow anonymous users access to my login page:
    >
    > <location path="Login.aspx">
    > <system.web>
    > <authorization>
    > <allow users="?"/>
    > </authorization>
    > </system.web>
    > </location>
    >
    > After I verify credentials, my login page creates the auth cookie and
    > redirects to the next page of the site via HTTP:
    > // Logic to validate user
    >
    > Some authentication logic...
    >
    > // Set the auth cookie
    >
    > FormsAuthentication.SetAuthCookie(txtUsername.Text, false, string.Empty);
    >
    > // redirect out of SSL
    >
    > Response.Redirect("http://" + Request.Url.Host +
    > FormsAuthentication.GetRedirectUrl(txtUsername.Text, false));
    >
    >
    > If anyone has any insight, I'd be much obliged!
    >
    > Thanks
    >
    > Al
    >
     
    Nicole Calinoiu, Aug 5, 2005
    #3
  4. Guest

    Al Guest

    Thanks Nicole. Good point and a silly oversight on my part. I'll make sure
    I explicitly set that attribute.

    Al



    "Nicole Calinoiu" <calinoiu REMOVETHIS AT gmail DOT com> wrote in message
    news:%23B$...
    > If your load balancer isn't actually maintaining affinity in the case of
    > https/http transitions, then the encryption key mentioned by Dominick may
    > be the issue. However, there's also another possibility that you may want
    > to rule out before investigating the possible affinity loss. Since you
    > haven't set an explicit value for the requireSSL attribute of the
    > authentication\forms element in your web.config file, you may be
    > inheriting from a parent configuration file (e.g.: machine.config).
    >
    > That said, allowing an authentication cookie to be passed over an HTTP
    > connection is generally a pretty bad idea since the cookie alone can be
    > used to authenticate against your site. If it was worth protecting the
    > original login information via use of HTTPS, it's worth protecting the
    > cookie as well.
    >
    >
    >
    > <asdasd> wrote in message news:O%...
    >> Hello-
    >>
    >> I am using Forms Authentication in a load-balanced web app and am trying
    >> to implement SSL. My login script goes into SSL just fine. But, when I
    >> redirect out back to HTTP, I seem to lose my authentication context and
    >> get redirected back to the login page again. A few notes that may or may
    >> not be important: One, I am using cisco load balancing to balance two
    >> IIS webservers (another important note is that this works fine on our
    >> single dev server). The load balancer is maintaining server affinity.
    >> Two, I am storing my session state in SQL. I don't think that matters to
    >> Forms Auth, but I could be wrong. Three, my login.aspx page is in the
    >> same directory as the rest of my site files.
    >>
    >> If I remain in HTTPS, the site works just fine and I move on as expected
    >> from the login page. The problem only happens when I attempt to redirect
    >> back into HTTP where the application seems to think I am no longer
    >> authenticated and I recursively go back to the login page.
    >>
    >> Here are my web.config settings:
    >>
    >> <authentication mode="Forms">
    >> <forms name=".MYAPPLICATIONNAME">
    >> <loginUrl=https://www.mydomain.com/login.aspx
    >> protection="All"
    >> timeout="30"
    >> path="/"/>
    >> </authentication>
    >>
    >> and to allow anonymous users access to my login page:
    >>
    >> <location path="Login.aspx">
    >> <system.web>
    >> <authorization>
    >> <allow users="?"/>
    >> </authorization>
    >> </system.web>
    >> </location>
    >>
    >> After I verify credentials, my login page creates the auth cookie and
    >> redirects to the next page of the site via HTTP:
    >> // Logic to validate user
    >>
    >> Some authentication logic...
    >>
    >> // Set the auth cookie
    >>
    >> FormsAuthentication.SetAuthCookie(txtUsername.Text, false, string.Empty);
    >>
    >> // redirect out of SSL
    >>
    >> Response.Redirect("http://" + Request.Url.Host +
    >> FormsAuthentication.GetRedirectUrl(txtUsername.Text, false));
    >>
    >>
    >> If anyone has any insight, I'd be much obliged!
    >>
    >> Thanks
    >>
    >> Al
    >>

    >
    >
     
    Al, Aug 5, 2005
    #4
  5. Guest

    Al Guest

    Thanks Dominick. I'll give that suggestion a shot and report back once I
    can get the change into production and test.

    Al

    "Dominick Baier [DevelopMentor]" <>
    wrote in message news:...
    > Hello asdasd,
    >
    > ASP.NET encrypts and signs the auth cookie. The key used for crypto must
    > be the same on both machines - this is configured in the <machineKey>
    > element -
    >
    > we have a tool on our website which spits out the correct XML fragment,
    > just duplicate this for your machines.
    >
    > http://www.develop.com/technology/resourcedetail.aspx?id=78da5ca5-5079-4f8f-99c5-b080117ceac0
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    >> Hello-
    >>
    >> I am using Forms Authentication in a load-balanced web app and am
    >> trying to implement SSL. My login script goes into SSL just fine.
    >> But, when I redirect out back to HTTP, I seem to lose my
    >> authentication context and get redirected back to the login page
    >> again. A few notes that may or may not be important: One, I am using
    >> cisco load balancing to balance two IIS webservers (another important
    >> note is that this works fine on our single dev server). The load
    >> balancer is maintaining server affinity. Two, I am storing my session
    >> state in SQL. I don't think that matters to Forms Auth, but I could
    >> be wrong. Three, my login.aspx page is in the same directory as the
    >> rest of my site files.
    >>
    >> If I remain in HTTPS, the site works just fine and I move on as
    >> expected from the login page. The problem only happens when I attempt
    >> to redirect back into HTTP where the application seems to think I am
    >> no longer authenticated and I recursively go back to the login page.
    >>
    >> Here are my web.config settings:
    >>
    >> <authentication mode="Forms">
    >> <forms name=".MYAPPLICATIONNAME">
    >> <loginUrl=https://www.mydomain.com/login.aspx
    >> protection="All"
    >> timeout="30"
    >> path="/"/>
    >> </authentication>
    >> and to allow anonymous users access to my login page:
    >>
    >> <location path="Login.aspx">
    >> <system.web>
    >> <authorization>
    >> <allow users="?"/>
    >> </authorization>
    >> </system.web>
    >> </location>
    >> After I verify credentials, my login page creates the auth cookie and
    >> redirects to the next page of the site via HTTP:
    >> // Logic to validate user
    >> Some authentication logic...
    >>
    >> // Set the auth cookie
    >>
    >> FormsAuthentication.SetAuthCookie(txtUsername.Text, false,
    >> string.Empty);
    >>
    >> // redirect out of SSL
    >>
    >> Response.Redirect("http://" + Request.Url.Host +
    >> FormsAuthentication.GetRedirectUrl(txtUsername.Text, false));
    >>
    >> If anyone has any insight, I'd be much obliged!
    >>
    >> Thanks
    >>
    >> Al
    >>

    >
    >
    >
     
    Al, Aug 5, 2005
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. AVance
    Replies:
    1
    Views:
    3,137
    AVance
    Jul 28, 2004
  2. Alfredo Barrientos
    Replies:
    0
    Views:
    547
    Alfredo Barrientos
    Aug 31, 2005
  3. AVance
    Replies:
    3
    Views:
    163
    AVance
    Aug 19, 2004
  4. Axel
    Replies:
    8
    Views:
    1,225
    Adrienne Boswell
    Apr 27, 2009
  5. jotto
    Replies:
    4
    Views:
    431
    jotto
    Oct 2, 2006
Loading...

Share This Page