tags:

views:

22

answers:

1
+1  Q: 

How to create a Cookie using SSL pages?

Hi,
I have an ASP:NET MVC 2 web site that is on SSL. I want to create a cookie like this: 

FormsAuthentication.SetAuthCookie(validatedUser.UserName, false);
FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(1, validatedUser.SecureToken, DateTime.Now, DateTime.Now.AddMinutes(10), false, String.Empty);

HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, FormsAuthentication.Encrypt(authTicket));
Response.Cookies.Add(cookie);

But I get an exception, telling: "The application is configured to issue secure cookies. These cookies require the browser to issue the request over SSL (https protocol). However, the current request is not over SSL."

In web.config I have: 

<authentication mode="Forms">
    <forms loginUrl="~/Account/LoginError" timeout="2880" requireSSL="true" protection="All"/>
</authentication>

How can I fix this?

+1  A: 

requireSSL="false" or use http:// to request your site. Note that both are bad idea if you care about security. If you want a secure site leave requireSSL="true" and use https:// to request your site.

Also the SetAuthCookie method already writes the cookie to the response so you don't need the rest:

FormsAuthentication.SetAuthCookie(validatedUser.UserName, false);

is enough. You don't need to worry about FormsAuthenticationTicket and adding the cookie to the response.

Darin Dimitrov  2010-10-25 11:25:46
I have requireSSL="true" and use https:// because I need security, but I always get that exception.
dani  2010-10-25 11:29:25
Well, the exception you are getting proves that you are not using `https://`. Or maybe there's some firewall or proxy server between the client and the web server which rewrites the request? Is the SSL certificate installed on the web server?
Darin Dimitrov  2010-10-25 11:30:56
I found the problem. It is that when I run the web site form VisualStudio it wont work. If I run the site over IIS, it works.
dani  2010-10-25 11:59:11

related questions

Why is access denied when installing SSL cert on IIS 5?
What does a PHP developer need to know about https / secure socket layer connections?
Am I turning away customers by disabling SSL 2.0 and PCT 1.0 in IIS5?
Coding Dojo with IE and SSL
Enforce SSL in code in an ashx handler
How to connect to PostgreSQL from .NET using TLS with both client and server authentication?
HELP SSL GURUs!!! ... Problems with SSL Connection
What's a clean/simple way to ensure the security of a page?
How to specify accepted certificates for Client Authentication in .NET SslStream
SharePoint stream file for preview
Problem with Oracle Application Server SSL Certificates
Is there a limit with the number of SSL connections?
Testing HTTPS files with MAMP
Cheapest SSL certificates
Limiting traffic to SSL version of page only
How do I support SSL Client Certificate authentication?
Why can't I connect to my CAS server with Perl's AuthCAS?
Is there a way to make Firefox ignore invalid ssl-certificates?
How do I create a self signed SSL certificate to use while testing a web app.
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
HTTPS in IIS 5.1
How do you redirect HTTPS to HTTP?
Debugging: IE6 + SSL + AJAX + post form = 404 error
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
Options for Google Maps over SSL