Re: User.Identity.IsAuthenticated and requireSSL=true

From: Dominick Baier <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Wed, 13 Dec 2006 05:58:33 +0000 (UTC)

You have to run all pages that rely on authentication under SSL - on every request the authentication cookie is round-tripped and you don't that to be stolen or sniffed from the wire.

requireSSL sets the "secure" flag on cookies - meaning they are not sent if the wire is not secure - resulting in a empty Context.User.

You should partition your site in areas that need auth and areas that don't. Or run the whole site on SSL.

have a look here:

http://www.leastprivilege.com/PartiallySSLSecuredWebAppsWithASPNET.aspx
http://www.leastprivilege.com/CachingAndSSLPages.aspx
http://www.leastprivilege.com/ExpressionBuilderForSSLRedirects.aspx

-----
Dominick Baier (http://www.leastprivilege.com)

Hi All

If I set an ASP.NET 2.0 site to forms authentication mode with
requireSSL=true, and I log in though https, then as soon as I swap
back to http mode, User.Identity.IsAuthenticated becomes false again
and I lose all the previous Identity information. Can anyone tell me
how I'm supposed to make use of User.Identity without running the
whole site in SSL?

Thanks, TH.

References:
- User.Identity.IsAuthenticated and requireSSL=true
  - From: TH

Prev by Date: Re: TextMode property set to "Password"
Next by Date: RE: How do I tell who my ASP.NET app is running as?
Previous by thread: User.Identity.IsAuthenticated and requireSSL=true
Index(es):
- Date
- Thread

Relevant Pages

Re: Mixed Mode Authentication in .net 2.0
... There are two parts to SSL, which is why this can be confusing. ... encryption and authentication of the server. ... ADFS supports a component called the federation service proxy which is ...
(microsoft.public.dotnet.framework.aspnet.security)
Re: Search not working
... Management>Authentication Providers>Edit Authentication, does not provide the ... ability to indicate whether the web application is using SSL or not. ... I changed IIS Authentication for the web site back to Integrated ... I have installed an SSL certificate and required SSL ...
(microsoft.public.sharepoint.windowsservices)
Re: Can SSL sessions be compromised?
... the proxy machine -- if I enable local cookies for authentication this ... your "SSL server" machine may be trying to catch some simple types of ... information carried by the digital certificates was ... clicking on any RFC number, brings up that RFC in the lower RFC summary ...
(comp.security.misc)
Re: Postfix + Auth + SSL + pop3s/imaps
... >> to use for authentication. ... Or I would still need SASL for smtp? ... >> if it's Plain or Login because I'm going to use SSL and that would ... >> encrypt both Login and the data channel. ...
(freebsd-questions)
Re: SSL/https - How to configure Tomcat?
... One aspect of SSL is authentication. ... > You mean it's right to say that SSL is an authentication method? ... is authentic (=> could be the bad guy's server). ...
(comp.lang.java.help)