I am in the situation where the site I am working on, the manager wants to allow the user to log in and not worry if they logged in through http or https. Based on another SO question (how can I share an asp.net session between http and https) I thought this would be possible if I set secure = false on the cookie. To add to this, we use a subdomain for the secure part of the site. So for http we use site.com, while https uses secure.site.com. So I tried setting the domain for the authentication in the web.config.
<authentication mode="Forms"> <forms loginUrl="/account/login" protection="All" timeout="30" name=".ASPXAUTH" path="/" requireSSL="false" slidingExpiration="true" defaultUrl="/" cookieless="UseDeviceProfile" domain="site.com" enableCrossAppRedirects="false" /> </authentication> Am I doing this all wrong? I understand there are some security concerns and I was going to address them when a request is made. I just want to allow the user to log in once and be remembered across http and https. Thanks.
1 Answers
Answers 1
I think you have wrong domain in your web.config. You should change it to
domain=".site.com" So you're allowing your forms auth cookie to live both on ssl.site.com and no-ssl.site.com domain for example.
All that being said any kind of security starts with https:// over all your solution - otherwise you're open into man-in-the-middle attacks (web proxy can inject inappropriate content into your solution, they can steal your authorization cookie & use it in flow on https://ssl.site.com etc.
0 comments:
Post a Comment