SSL Forms Authentication Redirect - Problem Redirecting out of HTTPS

Discussion in 'ASP .Net Security' started by Guest, Aug 4, 2005.

  1. Guest

    Guest Guest


    I am using Forms Authentication in a load-balanced web app and am trying to
    implement SSL. My login script goes into SSL just fine. But, when I
    redirect out back to HTTP, I seem to lose my authentication context and get
    redirected back to the login page again. A few notes that may or may not be
    important: One, I am using cisco load balancing to balance two IIS
    webservers (another important note is that this works fine on our single dev
    server). The load balancer is maintaining server affinity. Two, I am
    storing my session state in SQL. I don't think that matters to Forms Auth,
    but I could be wrong. Three, my login.aspx page is in the same directory as
    the rest of my site files.

    If I remain in HTTPS, the site works just fine and I move on as expected
    from the login page. The problem only happens when I attempt to redirect
    back into HTTP where the application seems to think I am no longer
    authenticated and I recursively go back to the login page.

    Here are my web.config settings:

    <authentication mode="Forms">
    <forms name=".MYAPPLICATIONNAME">

    and to allow anonymous users access to my login page:

    <location path="Login.aspx">
    <allow users="?"/>

    After I verify credentials, my login page creates the auth cookie and
    redirects to the next page of the site via HTTP:
    // Logic to validate user

    Some authentication logic...

    // Set the auth cookie

    FormsAuthentication.SetAuthCookie(txtUsername.Text, false, string.Empty);

    // redirect out of SSL

    Response.Redirect("http://" + Request.Url.Host +
    FormsAuthentication.GetRedirectUrl(txtUsername.Text, false));

    If anyone has any insight, I'd be much obliged!


    Guest, Aug 4, 2005
    1. Advertisements

  2. Dominick Baier [DevelopMentor], Aug 5, 2005
    1. Advertisements

  3. If your load balancer isn't actually maintaining affinity in the case of
    https/http transitions, then the encryption key mentioned by Dominick may be
    the issue. However, there's also another possibility that you may want to
    rule out before investigating the possible affinity loss. Since you haven't
    set an explicit value for the requireSSL attribute of the
    authentication\forms element in your web.config file, you may be inheriting
    from a parent configuration file (e.g.: machine.config).

    That said, allowing an authentication cookie to be passed over an HTTP
    connection is generally a pretty bad idea since the cookie alone can be used
    to authenticate against your site. If it was worth protecting the original
    login information via use of HTTPS, it's worth protecting the cookie as
    Nicole Calinoiu, Aug 5, 2005
  4. Guest

    Al Guest

    Thanks Nicole. Good point and a silly oversight on my part. I'll make sure
    I explicitly set that attribute.

    Al, Aug 5, 2005
  5. Guest

    Al Guest

    Thanks Dominick. I'll give that suggestion a shot and report back once I
    can get the change into production and test.

    Al, Aug 5, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.