cookie in default not secure but secure in SSL
I have a GUI when i log in i create a cookie and it encrypt it. I am usin SSL.
I check in the Login.aspx page if the cookie is secure, which it is. but then before going to the default page it goes to the Global.ascx page.
Here in the Application_AuthenticateRequest it gets the cookie and decrypts it for the default page..
Now i know that it is getting the same cookie as all the other attributes match the one that was created in the Login.aspx page excet that the secure value is "False".
this is the case for all other pages after default. the value of the cookie.secure is false.
Please help me why is this happening as i want all the pages to be secure by SSL.
Also the pages are opening as https not http.
here is my web.config
<authentication mode="Forms">
<forms loginUrl="Login.aspx" defaultUrl="~/Default.aspx" name="copiunGUI" slidingExpiration="true" timeout="120" path="/" requireSSL="true" protection="All">
</forms>
</authentication>
<httpCookies requireSSL="true"/>
<authorization>
<deny users="?"/>
</authorization>
my global.aspx code
protected void Application_AuthenticateRequest(object sender, EventArgs e)
{
// Extract the forms authentication cookie
string redirectSecureUrl = Request.Url.ToString();
new GUIUtility().LogMessageToFile(redirectSecureUrl);
string cookieName = FormsAuthentication.FormsCookieName.ToString();
HttpCookie authCookie = Context.Request.Cookies[cookieName];
try
{
new GUIUtility().LogMessageToFile(cookieName + authCookie.Secure + authCookie.Name + authCookie.Expires + authCookie.Path);
}
catch (Exception)
{
//
}
if (null == authCookie)
{
try
{
new GUIUtility().LogMessageToFile("authCookie = null");
}
catch (Exception)
{
//
}
// There is no authentication cookie.
return;
}
FormsAuthenticationTicket authTicket = null;
try
{
authTicket = FormsAuthentication.Decrypt(authCookie.Value);
}
catch (Exception)
{
// Log exception details (omitted for simplicity)
return;
}
if (null == authTicket)
{
// Cookie failed to decrypt.
return;
}
// When the ticket was created, the UserData property was assigned a
// pipe delimited string of role names.
string[] roles = authTicket.UserData.Split(new char[] { '|' });
// Create an Identity object
FormsIdentity id = new FormsIdentity(authTicket);
// This principal will flow throughout the request.
GenericPrincipal principal = new GenericPrincipal(id, roles);
// Attach the new principal object to the current HttpContext object
Context.User = principal;
}
code in my login.aspx page
// Create the authentication ticket
FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(1, // version
UserName.Text, // user name
DateTime.Now, // creation
DateTime.Now.AddMinutes(60),// Expiration
false, // 开发者_如何学PythonPersistent
role); // User data
// Now encrypt the ticket.
string encryptedTicket = FormsAuthentication.Encrypt(authTicket);
// Create a cookie and add the encrypted ticket to the
// cookie as data.
HttpCookie authCookie =
new HttpCookie(FormsAuthentication.FormsCookieName,
encryptedTicket);
if (authCookie.Secure)
{
new GUIUtility().LogMessageToFile("The cookie is secure with SSL." + authCookie.Name + authCookie.Expires + authCookie.Path);
}
//authCookie.Secure = FormsAuthentication.RequireSSL;
// Add the cookie to the outgoing cookies collection.
HttpContext.Current.Response.Cookies.Add(authCookie);
// Redirect the user to the originally requested page
string goToPath = FormsAuthentication.GetRedirectUrl(UserName.Text, true);
new GUIUtility().LogMessageToFile(goToPath);
//here the value of gotoPath is /Default.aspx
Response.Redirect(FormsAuthentication.GetRedirectUrl(UserName.Text,false));
I've always wondered about this. I've tried setting RequireSSL="true", but I kept getting new sessions and my logins didn't last more than a request. When I was looking at the underpinnings trying to see what was going on, I realized that cookies are just part of the HTTP request and response and didn't appear to go out seperately. So if I was on an unsecure page, the browser did not transmit the cookie to my website.
If you need it to be secure, I think you need to flip over your entire session to use https after the cookie is set or else it will not be transmitted, and will potentially be overwritten on the next request when IIS/ASP.net doesn't get the session cookie it was looking for (I'm pretty sure this is why I kept getting new sessions).
精彩评论