You have to run all pages that rely on authentication under SSL - on every
request the authentication cookie is round-tripped and you don't that to
be stolen or sniffed from the wire.
requireSSL sets the "secure" flag on cookies - meaning they are not sent
if the wire is not secure - resulting in a empty Context.User.
You should partition your site in areas that need auth and areas that don't.
Or run the whole site on SSL.
have a look here:
http://www.leastprivilege.com/Partia...ithASPNET.aspx
http://www.leastprivilege.com/CachingAndSSLPages.aspx
http://www.leastprivilege.com/Expres...Redirects.aspx
-----
Dominick Baier (
http://www.leastprivilege.com)
> Hi All
>
> If I set an ASP.NET 2.0 site to forms authentication mode with
> requireSSL=true, and I log in though https, then as soon as I swap
> back to http mode, User.Identity.IsAuthenticated becomes false again
> and I lose all the previous Identity information. Can anyone tell me
> how I'm supposed to make use of User.Identity without running the
> whole site in SSL?
>
> Thanks, TH.
>
Similar Threads
