Re: SSL Forms Authentication Redirect - Problem Redirecting out of HTTPS
From: Nicole Calinoiu (calinoiu)
Date: 08/05/05
- Next message: Al: "Re: SSL Forms Authentication Redirect - Problem Redirecting out of HTTPS"
- Previous message: Dominick Baier [DevelopMentor]: "Re: SSL Forms Authentication Redirect - Problem Redirecting out of HTTPS"
- In reply to: asdasd: "SSL Forms Authentication Redirect - Problem Redirecting out of HTTPS"
- Next in thread: Al: "Re: SSL Forms Authentication Redirect - Problem Redirecting out of HTTPS"
- Reply: Al: "Re: SSL Forms Authentication Redirect - Problem Redirecting out of HTTPS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 5 Aug 2005 07:38:10 -0400
If your load balancer isn't actually maintaining affinity in the case of
https/http transitions, then the encryption key mentioned by Dominick may be
the issue. However, there's also another possibility that you may want to
rule out before investigating the possible affinity loss. Since you haven't
set an explicit value for the requireSSL attribute of the
authentication\forms element in your web.config file, you may be inheriting
from a parent configuration file (e.g.: machine.config).
That said, allowing an authentication cookie to be passed over an HTTP
connection is generally a pretty bad idea since the cookie alone can be used
to authenticate against your site. If it was worth protecting the original
login information via use of HTTPS, it's worth protecting the cookie as
well.
<asdasd> wrote in message news:O%23AwopQmFHA.1372@TK2MSFTNGP10.phx.gbl...
> Hello-
>
> I am using Forms Authentication in a load-balanced web app and am trying
> to implement SSL. My login script goes into SSL just fine. But, when I
> redirect out back to HTTP, I seem to lose my authentication context and
> get redirected back to the login page again. A few notes that may or may
> not be important: One, I am using cisco load balancing to balance two IIS
> webservers (another important note is that this works fine on our single
> dev server). The load balancer is maintaining server affinity. Two, I
> am storing my session state in SQL. I don't think that matters to Forms
> Auth, but I could be wrong. Three, my login.aspx page is in the same
> directory as the rest of my site files.
>
> If I remain in HTTPS, the site works just fine and I move on as expected
> from the login page. The problem only happens when I attempt to redirect
> back into HTTP where the application seems to think I am no longer
> authenticated and I recursively go back to the login page.
>
> Here are my web.config settings:
>
> <authentication mode="Forms">
> <forms name=".MYAPPLICATIONNAME">
> <loginUrl=https://www.mydomain.com/login.aspx
> protection="All"
> timeout="30"
> path="/"/>
> </authentication>
>
> and to allow anonymous users access to my login page:
>
> <location path="Login.aspx">
> <system.web>
> <authorization>
> <allow users="?"/>
> </authorization>
> </system.web>
> </location>
>
> After I verify credentials, my login page creates the auth cookie and
> redirects to the next page of the site via HTTP:
> // Logic to validate user
>
> Some authentication logic...
>
> // Set the auth cookie
>
> FormsAuthentication.SetAuthCookie(txtUsername.Text, false, string.Empty);
>
> // redirect out of SSL
>
> Response.Redirect("http://" + Request.Url.Host +
> FormsAuthentication.GetRedirectUrl(txtUsername.Text, false));
>
>
> If anyone has any insight, I'd be much obliged!
>
> Thanks
>
> Al
>
- Next message: Al: "Re: SSL Forms Authentication Redirect - Problem Redirecting out of HTTPS"
- Previous message: Dominick Baier [DevelopMentor]: "Re: SSL Forms Authentication Redirect - Problem Redirecting out of HTTPS"
- In reply to: asdasd: "SSL Forms Authentication Redirect - Problem Redirecting out of HTTPS"
- Next in thread: Al: "Re: SSL Forms Authentication Redirect - Problem Redirecting out of HTTPS"
- Reply: Al: "Re: SSL Forms Authentication Redirect - Problem Redirecting out of HTTPS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
