Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > SSL and Forms Authentication

Reply
Thread Tools

SSL and Forms Authentication

 
 
Scott
Guest
Posts: n/a
 
      02-18-2004
Hi,

I've seen this problem posted a few times around the 'net with no answer.
Hopefully someone here can help.

We have our website configured to use Forms Authentication. We want to
secure the Login page ONLY using SSL. When a user goes to the site he is
redirected to the Login page for authentication, but gets an error saying
the resource is protected and they must use HTTPS:.

That's ugly, since the redirect should be transparent to the user.

When we setup the <forms> tag we have tried using the full path in the
loginUrl property, including 'httpS://'. When we do this the user doesn't
get the message about HTTPS, but he DOES get an NT Authentication login
dialog instead.

Thats even uglier and I'm not even sure why that happens.

Documentation and books I've read allude to the abiltiy to secure a single
folder or page using SSL and the login redirection works. Those same
documents and books don't say HOW to make it work and we haven't been able
to either.

Is it even possible to do this? Has anyone here done it successfully?

Scott L.


 
Reply With Quote
 
 
 
 
Paul Glavich
Guest
Posts: n/a
 
      02-19-2004
Perhaps you could try and put some code in the Application_Authenticate
event that checks to see if the user is already authenticated, if not, then
issue a manual redirect to your HTTPS login page.

--
- Paul Glavich


"Scott" <no_email_at_all> wrote in message
news:(E-Mail Removed)...
> Hi,
>
> I've seen this problem posted a few times around the 'net with no answer.
> Hopefully someone here can help.
>
> We have our website configured to use Forms Authentication. We want to
> secure the Login page ONLY using SSL. When a user goes to the site he is
> redirected to the Login page for authentication, but gets an error saying
> the resource is protected and they must use HTTPS:.
>
> That's ugly, since the redirect should be transparent to the user.
>
> When we setup the <forms> tag we have tried using the full path in the
> loginUrl property, including 'httpS://'. When we do this the user doesn't
> get the message about HTTPS, but he DOES get an NT Authentication login
> dialog instead.
>
> Thats even uglier and I'm not even sure why that happens.
>
> Documentation and books I've read allude to the abiltiy to secure a single
> folder or page using SSL and the login redirection works. Those same
> documents and books don't say HOW to make it work and we haven't been able
> to either.
>
> Is it even possible to do this? Has anyone here done it successfully?
>
> Scott L.
>
>



 
Reply With Quote
 
 
 
 
Justin
Guest
Posts: n/a
 
      02-24-2004
I've been trying to figure this out too, without luck. I just work around it
by
redirecting to a relative aspx page from the loginurl in web.config, then
do a response.redirect(https://www.host.com/login.aspx) from that. Messy
but it works

Justin

"Scott" <no_email_at_all> wrote in message
news:(E-Mail Removed)...
> Hi,
>
> I've seen this problem posted a few times around the 'net with no answer.
> Hopefully someone here can help.
>
> We have our website configured to use Forms Authentication. We want to
> secure the Login page ONLY using SSL. When a user goes to the site he is
> redirected to the Login page for authentication, but gets an error saying
> the resource is protected and they must use HTTPS:.
>
> That's ugly, since the redirect should be transparent to the user.
>
> When we setup the <forms> tag we have tried using the full path in the
> loginUrl property, including 'httpS://'. When we do this the user doesn't
> get the message about HTTPS, but he DOES get an NT Authentication login
> dialog instead.
>
> Thats even uglier and I'm not even sure why that happens.
>
> Documentation and books I've read allude to the abiltiy to secure a single
> folder or page using SSL and the login redirection works. Those same
> documents and books don't say HOW to make it work and we haven't been able
> to either.
>
> Is it even possible to do this? Has anyone here done it successfully?
>
> Scott L.
>
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Best practices for using forms authentication and security in a hosted env (was: Re: Using a Forms authentication in a shared hosting environment) JEFF ASP .Net 1 11-12-2007 07:00 PM
forms authentication -- expired forms cookie vs. not provided forms cookie Eric ASP .Net Security 2 01-27-2006 10:09 PM
Forms Authentication question: How to have some pages open and some requiring forms authentication Eric ASP .Net 2 02-13-2004 02:14 PM
Strange behavior using SSL and "FORMS" authentication. =?Utf-8?B?Z21hcnF1ZXo=?= ASP .Net 3 01-06-2004 08:57 PM
Forms Authentication and SSL Marco Roello ASP .Net Security 0 07-15-2003 07:54 AM



Advertisments