views:

38

answers:

1

I have a GUI when i log in i create a cookie and it encrypt it. I am usin SSL.

I check in the Login.aspx page if the cookie is secure, which it is. but then before going to the default page it goes to the Global.ascx page.

Here in the Application_AuthenticateRequest it gets the cookie and decrypts it for the default page..

Now i know that it is getting the same cookie as all the other attributes match the one that was created in the Login.aspx page excet that the secure value is "False".

this is the case for all other pages after default. the value of the cookie.secure is false.

Please help me why is this happening as i want all the pages to be secure by SSL.

Also the pages are opening as https not http.

here is my web.config

        <authentication mode="Forms">
        <forms loginUrl="Login.aspx" defaultUrl="~/Default.aspx" name="copiunGUI" slidingExpiration="true" timeout="120" path="/" requireSSL="true" protection="All">
        </forms>
    </authentication>
<httpCookies requireSSL="true"/>
    <authorization>
        <deny users="?"/>
    </authorization>

my global.aspx code

   protected void Application_AuthenticateRequest(object sender, EventArgs e)
    {
        // Extract the forms authentication cookie

        string redirectSecureUrl = Request.Url.ToString();
        new GUIUtility().LogMessageToFile(redirectSecureUrl);

        string cookieName = FormsAuthentication.FormsCookieName.ToString();
        HttpCookie authCookie = Context.Request.Cookies[cookieName];

        try
        {
            new GUIUtility().LogMessageToFile(cookieName + authCookie.Secure + authCookie.Name + authCookie.Expires + authCookie.Path);
        }
        catch (Exception)
        {
            //
        }

        if (null == authCookie)
        {
            try
            {
                new GUIUtility().LogMessageToFile("authCookie = null");
            }
            catch (Exception)
            {
                //
            }

            // There is no authentication cookie.
            return;
        }

        FormsAuthenticationTicket authTicket = null;
        try
        {
            authTicket = FormsAuthentication.Decrypt(authCookie.Value);
        }
        catch (Exception)
        {
            // Log exception details (omitted for simplicity)
            return;
        }

        if (null == authTicket)
        {
            // Cookie failed to decrypt.
            return;
        }

        // When the ticket was created, the UserData property was assigned a
        // pipe delimited string of role names.
        string[] roles = authTicket.UserData.Split(new char[] { '|' });

        // Create an Identity object
        FormsIdentity id = new FormsIdentity(authTicket);

        // This principal will flow throughout the request.
        GenericPrincipal principal = new GenericPrincipal(id, roles);
        // Attach the new principal object to the current HttpContext object
        Context.User = principal;
    }

code in my login.aspx page

 // Create the authentication ticket
                    FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(1,                          // version
                                                   UserName.Text,           // user name
                                                   DateTime.Now,               // creation
                                                   DateTime.Now.AddMinutes(60),// Expiration
                                                   false,                      // Persistent 
                                                   role);         // User data

                    // Now encrypt the ticket.
                    string encryptedTicket = FormsAuthentication.Encrypt(authTicket);

                    // Create a cookie and add the encrypted ticket to the
                    // cookie as data.
                    HttpCookie authCookie =
                                 new HttpCookie(FormsAuthentication.FormsCookieName,
                                                encryptedTicket);

                    if (authCookie.Secure)
                    {
                        new GUIUtility().LogMessageToFile("The cookie is secure with SSL." + authCookie.Name + authCookie.Expires + authCookie.Path);
                    }

                    //authCookie.Secure = FormsAuthentication.RequireSSL;

                    // Add the cookie to the outgoing cookies collection.
                    HttpContext.Current.Response.Cookies.Add(authCookie);

                    // Redirect the user to the originally requested page
                    string goToPath = FormsAuthentication.GetRedirectUrl(UserName.Text, true);
                    new GUIUtility().LogMessageToFile(goToPath);
                    //here the value of gotoPath is /Default.aspx
                    Response.Redirect(FormsAuthentication.GetRedirectUrl(UserName.Text,false));
+1  A: 

I've always wondered about this. I've tried setting RequireSSL="true", but I kept getting new sessions and my logins didn't last more than a request. When I was looking at the underpinnings trying to see what was going on, I realized that cookies are just part of the HTTP request and response and didn't appear to go out seperately. So if I was on an unsecure page, the browser did not transmit the cookie to my website.

If you need it to be secure, I think you need to flip over your entire session to use https after the cookie is set or else it will not be transmitted, and will potentially be overwritten on the next request when IIS/ASP.net doesn't get the session cookie it was looking for (I'm pretty sure this is why I kept getting new sessions).

Sam
so in the login page i have the function "string goToPath = FormsAuthentication.GetRedirectUrl(UserName.Text, true);" the value is /Default.aspx which is an absolute path... then i redirect it.. where it goes to the global.ascx page where i first check the URL by "string redirectSecureUrl = Request.Url.ToString();" the value here is "https://Default.aspx".. so in i cant figure out why is the cookie turning from secure on login to unsecure on global.aspx... any suggestions.. thanks