I have a GUI when i log in i create a cookie and it encrypt it. I am usin SSL.
I check in the Login.aspx page if the cookie is secure, which it is. but then before going to the default page it goes to the Global.ascx page.
Here in the Application_AuthenticateRequest it gets the cookie and decrypts it for the default page..
Now i know that it is getting the same cookie as all the other attributes match the one that was created in the Login.aspx page excet that the secure value is "False".
this is the case for all other pages after default. the value of the cookie.secure is false.
Please help me why is this happening as i want all the pages to be secure by SSL.
Also the pages are opening as https not http.
here is my web.config
<authentication mode="Forms">
<forms loginUrl="Login.aspx" defaultUrl="~/Default.aspx" name="copiunGUI" slidingExpiration="true" timeout="120" path="/" requireSSL="true" protection="All">
</forms>
</authentication>
<httpCookies requireSSL="true"/>
<authorization>
<deny users="?"/>
</authorization>
my global.aspx code
protected void Application_AuthenticateRequest(object sender, EventArgs e)
{
// Extract the forms authentication cookie
string redirectSecureUrl = Request.Url.ToString();
new GUIUtility().LogMessageToFile(redirectSecureUrl);
string cookieName = FormsAuthentication.FormsCookieName.ToString();
HttpCookie authCookie = Context.Request.Cookies[cookieName];
try
{
new GUIUtility().LogMessageToFile(cookieName + authCookie.Secure + authCookie.Name + authCookie.Expires + authCookie.Path);
}
catch (Exception)
{
//
}
if (null == authCookie)
{
try
{
new GUIUtility().LogMessageToFile("authCookie = null");
}
catch (Exception)
{
//
}
// There is no authentication cookie.
return;
}
FormsAuthenticationTicket authTicket = null;
try
{
authTicket = FormsAuthentication.Decrypt(authCookie.Value);
}
catch (Exception)
{
// Log exception details (omitted for simplicity)
return;
}
if (null == authTicket)
{
// Cookie failed to decrypt.
return;
}
// When the ticket was created, the UserData property was assigned a
// pipe delimited string of role names.
string[] roles = authTicket.UserData.Split(new char[] { '|' });
// Create an Identity object
FormsIdentity id = new FormsIdentity(authTicket);
// This principal will flow throughout the request.
GenericPrincipal principal = new GenericPrincipal(id, roles);
// Attach the new principal object to the current HttpContext object
Context.User = principal;
}
code in my login.aspx page
// Create the authentication ticket
FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(1, // version
UserName.Text, // user name
DateTime.Now, // creation
DateTime.Now.AddMinutes(60),// Expiration
false, // Persistent
role); // User data
// Now encrypt the ticket.
string encryptedTicket = FormsAuthentication.Encrypt(authTicket);
// Create a cookie and add the encrypted ticket to the
// cookie as data.
HttpCookie authCookie =
new HttpCookie(FormsAuthentication.FormsCookieName,
encryptedTicket);
if (authCookie.Secure)
{
new GUIUtility().LogMessageToFile("The cookie is secure with SSL." + authCookie.Name + authCookie.Expires + authCookie.Path);
}
//authCookie.Secure = FormsAuthentication.RequireSSL;
// Add the cookie to the outgoing cookies collection.
HttpContext.Current.Response.Cookies.Add(authCookie);
// Redirect the user to the originally requested page
string goToPath = FormsAuthentication.GetRedirectUrl(UserName.Text, true);
new GUIUtility().LogMessageToFile(goToPath);
//here the value of gotoPath is /Default.aspx
Response.Redirect(FormsAuthentication.GetRedirectUrl(UserName.Text,false));