Just Skins Support Forums > Archives > Web Design and Development > Web Programming Languages > ASP.NET > ASP.NET Security > Forms Authentication and SSL

Forms Authentication and SSL

Posted: 07-15-2003, 07:54 AM
Marco Roello
Guest
Posts: n/a
 
Hi, I read some posts here, but I haven't found the full solution of my
problem.

I,ve configured my web application to use SSL with Server Certificates
(Tested and works).

Only one subfolder (/secure) of my webapp works with SSL. (Tested and works)

Web.Config
authentication mode="Forms">
<forms loginUrl="/secure/login.aspx" protection="All" timeout="30"
requireSSL="true">
......

The users search a page of my webapp (example:
"http://myserver/mywebapp/webform1.aspx") on a non secure SSL channel.
If the user isn't authenticated, he will be redirected to the loginUrl. The
problem is that he will not be redirected with the https:// prefix, so he
has to manually change the address in from http:// to https://.

I've tried putting the full address in the loginUrl, like
loginUrl="https://myserver/mywebapp/secure/login.aspx", but in this case,
when redirecting on the login.aspx, I receive an Access denied Error
(401.2).

I've tried to configure IIS security, with anonimous access only, windows
authentication, both, but nothing changes.

So, the question is simple: how can I redirect a user to a SSL login page
when he isn't authenticated, don't matter if he comes from an http:// or
https:// address
Thank you in advance

Marco Roello
marco.roello@cnrservice.it



How can I configure my app




Reply With Quote

Responses to "Forms Authentication and SSL"

Michael Tissington
Guest
Posts: n/a
 
Forms Authentication and SSL
Posted: 10-21-2003, 05:10 PM
I'm using Forms Authentication, the user may come from a HTTP page, the
login page is using SSL, so after logging in the user will be redirected
back to a non SSL page.

This used to work without any warnings. Suddenly after entering the login
information IE is warning the user that they are being redirected to a non
secure page.

What is causing this?

If I change the login page to non ssl (just HTTP) then I don't get the
problem.

How can I use SSL for the login page and not prompt the user when they are
being redirected?

Thanks.

--
Michael Tissington
http://www.tabtag.com
http://www.oaklodge.com



Reply With Quote
Jacob Yang [MSFT]
Guest
Posts: n/a
 
RE: Forms Authentication and SSL
Posted: 10-22-2003, 07:36 AM
Hi Michael,

From security consideration, IE will prompt us this security alert either
when we enter into a secure website from a non-secure one, or vice versa.
To my knowledge, we cannot dismiss this alert, unless we check the "In the
future, do not show this warning" checkbox.

This security alert is very useful in the case if we want to send out our
secret information, such as credit account number, password, over internet.
With this alert, we should be notified whether the web site we are
communicating is a real secure or valid web site before sending out the
secret information. Without this security alert, we have no sense whether
the web site is secure.

Does it answer your question? If I have misunderstood your concern, please
feel free to let me know.

Best regards,

Jacob Yang
Microsoft Online Partner Support
Get Secure! ¨C www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.

Reply With Quote
Michael Tissington
Guest
Posts: n/a
 
Re: Forms Authentication and SSL
Posted: 10-22-2003, 03:24 PM
Jacob,

Yes, it partly answers my question.

The other aspect of this is how do I use forms authentication with SSL

Consider the following

1) User views a non SSL page
2) Clicks on a link which requires forms authentication
3) Web.config points to a https page for the login information
4) Using SSL the login information is collected
5) How then does the redirection back to the refering page work?
is it SSL or the original protocol - can it be specified?

Basically we are are just wanting to collect the user information using SSL
and then return to the protocol that was using when the user clicked on the
link (which may or may not be https)

Thanks.

--
Michael Tissington
http://www.tabtag.com
http://www.oaklodge.com


"Jacob Yang [MSFT]" <jiany@online.microsoft.com> wrote in message
news:TF$S48GmDHA.576@cpmsftngxa06.phx.gbl...
> Hi Michael,
>
> From security consideration, IE will prompt us this security alert either
> when we enter into a secure website from a non-secure one, or vice versa.
> To my knowledge, we cannot dismiss this alert, unless we check the "In the
> future, do not show this warning" checkbox.
>
> This security alert is very useful in the case if we want to send out our
> secret information, such as credit account number, password, over
internet.
> With this alert, we should be notified whether the web site we are
> communicating is a real secure or valid web site before sending out the
> secret information. Without this security alert, we have no sense whether
> the web site is secure.
>
> Does it answer your question? If I have misunderstood your concern, please
> feel free to let me know.
>
> Best regards,
>
> Jacob Yang
> Microsoft Online Partner Support
> Get Secure! ¨C www.microsoft.com/security
> This posting is provided "as is" with no warranties and confers no rights.
>

Reply With Quote
MSFT
Guest
Posts: n/a
 
Re: Forms Authentication and SSL
Posted: 10-23-2003, 11:05 AM
Hi Michael,

Is the login form (SSL required) in the same web application or virtual
folder?

With FormsAuthentication.RedirectFromLoginPage method, we can't specufy the
protocol or get the source protocol from From FormsAuthentication object.

Luke
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Reply With Quote
 
LinkBack Thread Tools Search this Thread Display Modes
Reply

« Previous Thread | Next Thread »

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Authentication Issue Stephen PHP Development 5 10-14-2003 01:52 AM
Unable to get Forms-based Authentication to work Attila ASP.NET Security 7 07-24-2003 05:02 PM
Custom Authentication Ticket Mike Viglianco ASP.NET Security 0 07-08-2003 04:18 PM
php scripts for email authentication Xerxes PHP Development 2 06-27-2003 04:16 AM
how to avoid authentication Konrad ASP.NET General 1 06-25-2003 11:51 PM