Strange behavior using SSL and "FORMS" authentication.

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hello,

I am using "FORMS" authentication, without SSL the behavior is normal, everythings working very well.

When in IIS I cheking "Require SSL" (in Secure Communications property), I can't to do login, after introducing the credentials, I am redirected to login's page again, If I take the SSL's Check off in the ISS property, everythings will work very well again.

NOTE: I have a valid certificate well installed.

What is happening?, some suggest?

Thanks in advance...

gmarquez
 
Setting RequireSSL="true" cause the authentication cookie to be sent back
only if you are in SSL

ie... if for example you have the login page at
https://mywebsite/login.asp and once logged in you redir the user to say
http://mywebsite/home.asp you wont be able to access the authentication
cookie you set in the login page.
The reason being. RequireSSL explicitly means that send the authentication
cookie only if the requested resource is protected.

Well in the application_authenticate handler.... irrespective of whether the
cookie was set in SSL mode or not we query it... and since there is no
query... you are not authorised to access the page (can set the principal so
even though you have the cookie... it was not passed and hence you are
anonymous user)

HTH
--
Regards,

HD

gmarquez said:
Hello,

I am using "FORMS" authentication, without SSL the behavior is normal, everythings working very well.

When in IIS I cheking "Require SSL" (in Secure Communications property), I
can't to do login, after introducing the credentials, I am redirected to
login's page again, If I take the SSL's Check off in the ISS property,
everythings will work very well again.
 
Hello Mr. Dave,

Searching similar questions (keyword= SSL, in the ASP.NET newsgroup), I found an argue about similar situation. Something gets my attention, they were discussing about creating self-signed certificate (like is my case):
Is about a developer that he doesn't know like create a self-signed certificate.(This not apply for me).
They recommend to review the following articles:

INFO: Help Secure Forms Authentication by Using Secure Sockets Layer (SSL)
(In this last article there is an example like your example)
http://support.microsoft.com/default.aspx?scid=kb;en-us;813829

INFO: Building Secure ASP.NET Web Applications Guide
http://support.microsoft.com/default.aspx?scid=kb;en-us;330246

I had used both of them, I have made all that suggests (including RequireSSL="true"), but the problem is persisting.

I have everything well configured, but when I'm accessing to the secure page, the security alert show me the following:

-(ok) The security certificate is from a trusted certifying authority.

-(ok) The security certificate is valid.

-(!) The name on the security certificate is invalid or does not match then name of the site.


Is possible that the last alert is my problem?, How can repair it?

Thanks in advance...

gmarquez

----- Hermit Dave wrote: -----

Setting RequireSSL="true" cause the authentication cookie to be sent back
only if you are in SSL

ie... if for example you have the login page at
https://mywebsite/login.asp and once logged in you redir the user to say
http://mywebsite/home.asp you wont be able to access the authentication
cookie you set in the login page.
The reason being. RequireSSL explicitly means that send the authentication
cookie only if the requested resource is protected.

Well in the application_authenticate handler.... irrespective of whether the
cookie was set in SSL mode or not we query it... and since there is no
query... you are not authorised to access the page (can set the principal so
even though you have the cookie... it was not passed and hence you are
anonymous user)

HTH
--
Regards,

HD

gmarquez said:
can't to do login, after introducing the credentials, I am redirected to
login's page again, If I take the SSL's Check off in the ISS property,
everythings will work very well again.
 
look just try this.

step through the application from login onwards when you set the
authentication cookie.... put a breakpoint on authenticate request
(global.asax)... on the page you are forwarding post authenticaiton....
see whats exactly happening... check the duration of ticket ie expiration
time...

HTH
--
Regards,

HD

gmarquez said:
Hello Mr. Dave,

Searching similar questions (keyword= SSL, in the ASP.NET newsgroup), I
found an argue about similar situation. Something gets my attention, they
were discussing about creating self-signed certificate (like is my case):
Is about a developer that he doesn't know like create a self-signed
certificate.(This not apply for me).
They recommend to review the following articles:

INFO: Help Secure Forms Authentication by Using Secure Sockets Layer (SSL)
(In this last article there is an example like your example)
http://support.microsoft.com/default.aspx?scid=kb;en-us;813829

INFO: Building Secure ASP.NET Web Applications Guide
http://support.microsoft.com/default.aspx?scid=kb;en-us;330246

I had used both of them, I have made all that suggests (including
RequireSSL="true"), but the problem is persisting.
I have everything well configured, but when I'm accessing to the secure
page, the security alert show me the following:
 
Back
Top