User.Identity.IsAuthenticated and requireSSL=true

T

TH

Hi All

If I set an ASP.NET 2.0 site to forms authentication mode with
requireSSL=true, and I log in though https, then as soon as I swap back
to http mode, User.Identity.IsAuthenticated becomes false again and I
lose all the previous Identity information. Can anyone tell me how I'm
supposed to make use of User.Identity without running the whole site in
SSL?

Thanks, TH.
 
D

Dominick Baier

You have to run all pages that rely on authentication under SSL - on every
request the authentication cookie is round-tripped and you don't that to
be stolen or sniffed from the wire.

requireSSL sets the "secure" flag on cookies - meaning they are not sent
if the wire is not secure - resulting in a empty Context.User.

You should partition your site in areas that need auth and areas that don't.
Or run the whole site on SSL.

have a look here:

http://www.leastprivilege.com/PartiallySSLSecuredWebAppsWithASPNET.aspx
http://www.leastprivilege.com/CachingAndSSLPages.aspx
http://www.leastprivilege.com/ExpressionBuilderForSSLRedirects.aspx
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

requireSSL not working on web site 2
location path not functioning within web.config -- no images/css 0
ASP.NET 2.0 Form Security Error 2
Statement evals as False in my IDE and True elsewhere 11
SSL Termination and ASP.NET 2.0 0
Unable to establish secure connection with the server 2
Forms Authentication losing IsAuthenticated after 1 page 2
VWD and SSL 0

Members online

No members online now.
Total: 25 (members: 0, guests: 25)
Robots: 428

Forum statistics

Threads
473,769
Messages
2,569,580
Members
45,053
Latest member
BrodieSola

Latest Threads

Top