User.Identity.IsAuthenticated and requireSSL=true

Discussion in 'ASP .Net Security' started by TH, Dec 12, 2006.

  1. TH

    TH Guest

    Hi All

    If I set an ASP.NET 2.0 site to forms authentication mode with
    requireSSL=true, and I log in though https, then as soon as I swap back
    to http mode, User.Identity.IsAuthenticated becomes false again and I
    lose all the previous Identity information. Can anyone tell me how I'm
    supposed to make use of User.Identity without running the whole site in
    SSL?

    Thanks, TH.
    TH, Dec 12, 2006
    #1
    1. Advertising

  2. You have to run all pages that rely on authentication under SSL - on every
    request the authentication cookie is round-tripped and you don't that to
    be stolen or sniffed from the wire.

    requireSSL sets the "secure" flag on cookies - meaning they are not sent
    if the wire is not secure - resulting in a empty Context.User.

    You should partition your site in areas that need auth and areas that don't.
    Or run the whole site on SSL.

    have a look here:

    http://www.leastprivilege.com/PartiallySSLSecuredWebAppsWithASPNET.aspx
    http://www.leastprivilege.com/CachingAndSSLPages.aspx
    http://www.leastprivilege.com/ExpressionBuilderForSSLRedirects.aspx

    -----
    Dominick Baier (http://www.leastprivilege.com)

    > Hi All
    >
    > If I set an ASP.NET 2.0 site to forms authentication mode with
    > requireSSL=true, and I log in though https, then as soon as I swap
    > back to http mode, User.Identity.IsAuthenticated becomes false again
    > and I lose all the previous Identity information. Can anyone tell me
    > how I'm supposed to make use of User.Identity without running the
    > whole site in SSL?
    >
    > Thanks, TH.
    >
    Dominick Baier, Dec 13, 2006
    #2
    1. Advertising

  3. TH

    TH Guest

    Good stuff. Thanks very much.
    TH, Jan 4, 2007
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Bob
    Replies:
    1
    Views:
    11,915
    Joe Fallon
    Apr 29, 2004
  2. ChInKPoInt [No MCSD]
    Replies:
    0
    Views:
    792
    ChInKPoInt [No MCSD]
    Dec 4, 2004
  3. Zulander
    Replies:
    2
    Views:
    11,765
    Zulander
    Aug 21, 2006
  4. bdb112
    Replies:
    45
    Views:
    1,315
    jazbees
    Apr 29, 2009
  5. Phil Johnson
    Replies:
    0
    Views:
    1,331
    Phil Johnson
    Oct 28, 2009
Loading...

Share This Page