«

Hello-

I am using Forms Authentication in a load-balanced web app and am trying to
implement SSL. My login script goes into SSL just fine. But, when I
redirect out back to HTTP, I seem to lose my authentication context and get
redirected back to the login page again. A few notes that may or may not be
important: One, I am using cisco load balancing to balance two IIS
webservers (another important note is that this works fine on our single dev
server). The load balancer is maintaining server affinity. Two, I am
storing my session state in SQL. I don't think that matters to Forms Auth,
but I could be wrong. Three, my login.aspx page is in the same directory as
the rest of my site files.

If I remain in HTTPS, the site works just fine and I move on as expected
from the login page. The problem only happens when I attempt to redirect
back into HTTP where the application seems to think I am no longer
authenticated and I recursively go back to the login page.

Here are my web.config settings:

<authentication mode="Forms">
<forms name=".MYAPPLICATIONNAME">
<loginUrl=https://www.mydomain.com/login.aspx
protection="All"
timeout="30"
path="/"/>
</authentication>

and to allow anonymous users access to my login page:

<location path="Login.aspx">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>

After I verify credentials, my login page creates the auth cookie and
redirects to the next page of the site via HTTP:
// Logic to validate user

Some authentication logic...

// Set the auth cookie

FormsAuthentication.SetAuthCookie(txtUsername.Text , false, string.Empty);

// redirect out of SSL

Response.Redirect("http://" + Request.Url.Host +
FormsAuthentication.GetRedirectUrl(txtUsername.Tex t, false));


If anyone has any insight, I'd be much obliged!

Thanks

Al

Hello asdasd,

ASP.NET encrypts and signs the auth cookie. The key used for crypto must
be the same on both machines - this is configured in the <machineKey> element
-

we have a tool on our website which spits out the correct XML fragment, just
duplicate this for your machines.

http://www.develop.com/technology/re...5-b080117ceac0

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Hello-
>
> I am using Forms Authentication in a load-balanced web app and am
> trying to implement SSL. My login script goes into SSL just fine.
> But, when I redirect out back to HTTP, I seem to lose my
> authentication context and get redirected back to the login page
> again. A few notes that may or may not be important: One, I am using
> cisco load balancing to balance two IIS webservers (another important
> note is that this works fine on our single dev server). The load
> balancer is maintaining server affinity. Two, I am storing my session
> state in SQL. I don't think that matters to Forms Auth, but I could
> be wrong. Three, my login.aspx page is in the same directory as the
> rest of my site files.
>
> If I remain in HTTPS, the site works just fine and I move on as
> expected from the login page. The problem only happens when I attempt
> to redirect back into HTTP where the application seems to think I am
> no longer authenticated and I recursively go back to the login page.
>
> Here are my web.config settings:
>
> <authentication mode="Forms">
> <forms name=".MYAPPLICATIONNAME">
> <loginUrl=https://www.mydomain.com/login.aspx
> protection="All"
> timeout="30"
> path="/"/>
> </authentication>
> and to allow anonymous users access to my login page:
>
> <location path="Login.aspx">
> <system.web>
> <authorization>
> <allow users="?"/>
> </authorization>
> </system.web>
> </location>
> After I verify credentials, my login page creates the auth cookie and
> redirects to the next page of the site via HTTP:
> // Logic to validate user
> Some authentication logic...
>
> // Set the auth cookie
>
> FormsAuthentication.SetAuthCookie(txtUsername.Text , false,
> string.Empty);
>
> // redirect out of SSL
>
> Response.Redirect("http://" + Request.Url.Host +
> FormsAuthentication.GetRedirectUrl(txtUsername.Tex t, false));
>
> If anyone has any insight, I'd be much obliged!
>
> Thanks
>
> Al
>

If your load balancer isn't actually maintaining affinity in the case of
https/http transitions, then the encryption key mentioned by Dominick may be
the issue. However, there's also another possibility that you may want to
rule out before investigating the possible affinity loss. Since you haven't
set an explicit value for the requireSSL attribute of the
authentication\forms element in your web.config file, you may be inheriting
from a parent configuration file (e.g.: machine.config).

That said, allowing an authentication cookie to be passed over an HTTP
connection is generally a pretty bad idea since the cookie alone can be used
to authenticate against your site. If it was worth protecting the original
login information via use of HTTPS, it's worth protecting the cookie as
well.



<asdasd> wrote in message news:O%...
> Hello-
>
> I am using Forms Authentication in a load-balanced web app and am trying
> to implement SSL. My login script goes into SSL just fine. But, when I
> redirect out back to HTTP, I seem to lose my authentication context and
> get redirected back to the login page again. A few notes that may or may
> not be important: One, I am using cisco load balancing to balance two IIS
> webservers (another important note is that this works fine on our single
> dev server). The load balancer is maintaining server affinity. Two, I
> am storing my session state in SQL. I don't think that matters to Forms
> Auth, but I could be wrong. Three, my login.aspx page is in the same
> directory as the rest of my site files.
>
> If I remain in HTTPS, the site works just fine and I move on as expected
> from the login page. The problem only happens when I attempt to redirect
> back into HTTP where the application seems to think I am no longer
> authenticated and I recursively go back to the login page.
>
> Here are my web.config settings:
>
> <authentication mode="Forms">
> <forms name=".MYAPPLICATIONNAME">
> <loginUrl=https://www.mydomain.com/login.aspx
> protection="All"
> timeout="30"
> path="/"/>
> </authentication>
>
> and to allow anonymous users access to my login page:
>
> <location path="Login.aspx">
> <system.web>
> <authorization>
> <allow users="?"/>
> </authorization>
> </system.web>
> </location>
>
> After I verify credentials, my login page creates the auth cookie and
> redirects to the next page of the site via HTTP:
> // Logic to validate user
>
> Some authentication logic...
>
> // Set the auth cookie
>
> FormsAuthentication.SetAuthCookie(txtUsername.Text , false, string.Empty);
>
> // redirect out of SSL
>
> Response.Redirect("http://" + Request.Url.Host +
> FormsAuthentication.GetRedirectUrl(txtUsername.Tex t, false));
>
>
> If anyone has any insight, I'd be much obliged!
>
> Thanks
>
> Al
>

Thanks Nicole. Good point and a silly oversight on my part. I'll make sure
I explicitly set that attribute.

Al



"Nicole Calinoiu" <calinoiu REMOVETHIS AT gmail DOT com> wrote in message
news:%23B$...
> If your load balancer isn't actually maintaining affinity in the case of
> https/http transitions, then the encryption key mentioned by Dominick may
> be the issue. However, there's also another possibility that you may want
> to rule out before investigating the possible affinity loss. Since you
> haven't set an explicit value for the requireSSL attribute of the
> authentication\forms element in your web.config file, you may be
> inheriting from a parent configuration file (e.g.: machine.config).
>
> That said, allowing an authentication cookie to be passed over an HTTP
> connection is generally a pretty bad idea since the cookie alone can be
> used to authenticate against your site. If it was worth protecting the
> original login information via use of HTTPS, it's worth protecting the
> cookie as well.
>
>
>
> <asdasd> wrote in message news:O%...
>> Hello-
>>
>> I am using Forms Authentication in a load-balanced web app and am trying
>> to implement SSL. My login script goes into SSL just fine. But, when I
>> redirect out back to HTTP, I seem to lose my authentication context and
>> get redirected back to the login page again. A few notes that may or may
>> not be important: One, I am using cisco load balancing to balance two
>> IIS webservers (another important note is that this works fine on our
>> single dev server). The load balancer is maintaining server affinity.
>> Two, I am storing my session state in SQL. I don't think that matters to
>> Forms Auth, but I could be wrong. Three, my login.aspx page is in the
>> same directory as the rest of my site files.
>>
>> If I remain in HTTPS, the site works just fine and I move on as expected
>> from the login page. The problem only happens when I attempt to redirect
>> back into HTTP where the application seems to think I am no longer
>> authenticated and I recursively go back to the login page.
>>
>> Here are my web.config settings:
>>
>> <authentication mode="Forms">
>> <forms name=".MYAPPLICATIONNAME">
>> <loginUrl=https://www.mydomain.com/login.aspx
>> protection="All"
>> timeout="30"
>> path="/"/>
>> </authentication>
>>
>> and to allow anonymous users access to my login page:
>>
>> <location path="Login.aspx">
>> <system.web>
>> <authorization>
>> <allow users="?"/>
>> </authorization>
>> </system.web>
>> </location>
>>
>> After I verify credentials, my login page creates the auth cookie and
>> redirects to the next page of the site via HTTP:
>> // Logic to validate user
>>
>> Some authentication logic...
>>
>> // Set the auth cookie
>>
>> FormsAuthentication.SetAuthCookie(txtUsername.Text , false, string.Empty);
>>
>> // redirect out of SSL
>>
>> Response.Redirect("http://" + Request.Url.Host +
>> FormsAuthentication.GetRedirectUrl(txtUsername.Tex t, false));
>>
>>
>> If anyone has any insight, I'd be much obliged!
>>
>> Thanks
>>
>> Al
>>
>
>

Thanks Dominick. I'll give that suggestion a shot and report back once I
can get the change into production and test.

Al

"Dominick Baier [DevelopMentor]" <>
wrote in message news:.. .
> Hello asdasd,
>
> ASP.NET encrypts and signs the auth cookie. The key used for crypto must
> be the same on both machines - this is configured in the <machineKey>
> element -
>
> we have a tool on our website which spits out the correct XML fragment,
> just duplicate this for your machines.
>
> http://www.develop.com/technology/re...5-b080117ceac0
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
>> Hello-
>>
>> I am using Forms Authentication in a load-balanced web app and am
>> trying to implement SSL. My login script goes into SSL just fine.
>> But, when I redirect out back to HTTP, I seem to lose my
>> authentication context and get redirected back to the login page
>> again. A few notes that may or may not be important: One, I am using
>> cisco load balancing to balance two IIS webservers (another important
>> note is that this works fine on our single dev server). The load
>> balancer is maintaining server affinity. Two, I am storing my session
>> state in SQL. I don't think that matters to Forms Auth, but I could
>> be wrong. Three, my login.aspx page is in the same directory as the
>> rest of my site files.
>>
>> If I remain in HTTPS, the site works just fine and I move on as
>> expected from the login page. The problem only happens when I attempt
>> to redirect back into HTTP where the application seems to think I am
>> no longer authenticated and I recursively go back to the login page.
>>
>> Here are my web.config settings:
>>
>> <authentication mode="Forms">
>> <forms name=".MYAPPLICATIONNAME">
>> <loginUrl=https://www.mydomain.com/login.aspx
>> protection="All"
>> timeout="30"
>> path="/"/>
>> </authentication>
>> and to allow anonymous users access to my login page:
>>
>> <location path="Login.aspx">
>> <system.web>
>> <authorization>
>> <allow users="?"/>
>> </authorization>
>> </system.web>
>> </location>
>> After I verify credentials, my login page creates the auth cookie and
>> redirects to the next page of the site via HTTP:
>> // Logic to validate user
>> Some authentication logic...
>>
>> // Set the auth cookie
>>
>> FormsAuthentication.SetAuthCookie(txtUsername.Text , false,
>> string.Empty);
>>
>> // redirect out of SSL
>>
>> Response.Redirect("http://" + Request.Url.Host +
>> FormsAuthentication.GetRedirectUrl(txtUsername.Tex t, false));
>>
>> If anyone has any insight, I'd be much obliged!
>>
>> Thanks
>>
>> Al
>>
>
>
>