Re: SSL Forms Authentication Redirect - Problem Redirecting out of HTTPS
From: Al (al.hickman_at_competitive.com)
Date: 08/05/05
- Next message: Al: "Re: SSL Forms Authentication Redirect - Problem Redirecting out of HTTPS"
- Previous message: Nicole Calinoiu: "Re: SSL Forms Authentication Redirect - Problem Redirecting out of HTTPS"
- In reply to: Nicole Calinoiu: "Re: SSL Forms Authentication Redirect - Problem Redirecting out of HTTPS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 5 Aug 2005 08:41:08 -0400
Thanks Nicole. Good point and a silly oversight on my part. I'll make sure
I explicitly set that attribute.
Al
"Nicole Calinoiu" <calinoiu REMOVETHIS AT gmail DOT com> wrote in message
news:%23B$QvIbmFHA.320@TK2MSFTNGP09.phx.gbl...
> If your load balancer isn't actually maintaining affinity in the case of
> https/http transitions, then the encryption key mentioned by Dominick may
> be the issue. However, there's also another possibility that you may want
> to rule out before investigating the possible affinity loss. Since you
> haven't set an explicit value for the requireSSL attribute of the
> authentication\forms element in your web.config file, you may be
> inheriting from a parent configuration file (e.g.: machine.config).
>
> That said, allowing an authentication cookie to be passed over an HTTP
> connection is generally a pretty bad idea since the cookie alone can be
> used to authenticate against your site. If it was worth protecting the
> original login information via use of HTTPS, it's worth protecting the
> cookie as well.
>
>
>
> <asdasd> wrote in message news:O%23AwopQmFHA.1372@TK2MSFTNGP10.phx.gbl...
>> Hello-
>>
>> I am using Forms Authentication in a load-balanced web app and am trying
>> to implement SSL. My login script goes into SSL just fine. But, when I
>> redirect out back to HTTP, I seem to lose my authentication context and
>> get redirected back to the login page again. A few notes that may or may
>> not be important: One, I am using cisco load balancing to balance two
>> IIS webservers (another important note is that this works fine on our
>> single dev server). The load balancer is maintaining server affinity.
>> Two, I am storing my session state in SQL. I don't think that matters to
>> Forms Auth, but I could be wrong. Three, my login.aspx page is in the
>> same directory as the rest of my site files.
>>
>> If I remain in HTTPS, the site works just fine and I move on as expected
>> from the login page. The problem only happens when I attempt to redirect
>> back into HTTP where the application seems to think I am no longer
>> authenticated and I recursively go back to the login page.
>>
>> Here are my web.config settings:
>>
>> <authentication mode="Forms">
>> <forms name=".MYAPPLICATIONNAME">
>> <loginUrl=https://www.mydomain.com/login.aspx
>> protection="All"
>> timeout="30"
>> path="/"/>
>> </authentication>
>>
>> and to allow anonymous users access to my login page:
>>
>> <location path="Login.aspx">
>> <system.web>
>> <authorization>
>> <allow users="?"/>
>> </authorization>
>> </system.web>
>> </location>
>>
>> After I verify credentials, my login page creates the auth cookie and
>> redirects to the next page of the site via HTTP:
>> // Logic to validate user
>>
>> Some authentication logic...
>>
>> // Set the auth cookie
>>
>> FormsAuthentication.SetAuthCookie(txtUsername.Text, false, string.Empty);
>>
>> // redirect out of SSL
>>
>> Response.Redirect("http://" + Request.Url.Host +
>> FormsAuthentication.GetRedirectUrl(txtUsername.Text, false));
>>
>>
>> If anyone has any insight, I'd be much obliged!
>>
>> Thanks
>>
>> Al
>>
>
>
- Next message: Al: "Re: SSL Forms Authentication Redirect - Problem Redirecting out of HTTPS"
- Previous message: Nicole Calinoiu: "Re: SSL Forms Authentication Redirect - Problem Redirecting out of HTTPS"
- In reply to: Nicole Calinoiu: "Re: SSL Forms Authentication Redirect - Problem Redirecting out of HTTPS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
