SSL and Forms Authentication

[Scott]

Hi,

I've seen this problem posted a few times around the 'net with no answer.
Hopefully someone here can help.

We have our website configured to use Forms Authentication. We want to
secure the Login page ONLY using SSL. When a user goes to the site he is
redirected to the Login page for authentication, but gets an error saying
the resource is protected and they must use HTTPS:.

That's ugly, since the redirect should be transparent to the user.

When we setup the <forms> tag we have tried using the full path in the
loginUrl property, including 'httpS://'. When we do this the user doesn't
get the message about HTTPS, but he DOES get an NT Authentication login
dialog instead.

Thats even uglier and I'm not even sure why that happens.

Documentation and books I've read allude to the abiltiy to secure a single
folder or page using SSL and the login redirection works. Those same
documents and books don't say HOW to make it work and we haven't been able
to either.

Is it even possible to do this? Has anyone here done it successfully?

Scott L.

[Paul Glavich]

Perhaps you could try and put some code in the Application_Authenticate
event that checks to see if the user is already authenticated, if not, then
issue a manual redirect to your HTTPS login page.

--
- Paul Glavich


"Scott" <no_email_at_all> wrote in message
news:uBN4Zln9DHA.2480@TK2MSFTNGP10.phx.gbl...

> Hi,
>
> I've seen this problem posted a few times around the 'net with no answer.
> Hopefully someone here can help.
>
> We have our website configured to use Forms Authentication. We want to
> secure the Login page ONLY using SSL. When a user goes to the site he is
> redirected to the Login page for authentication, but gets an error saying
> the resource is protected and they must use HTTPS:.
>
> That's ugly, since the redirect should be transparent to the user.
>
> When we setup the <forms> tag we have tried using the full path in the
> loginUrl property, including 'httpS://'. When we do this the user doesn't
> get the message about HTTPS, but he DOES get an NT Authentication login
> dialog instead.
>
> Thats even uglier and I'm not even sure why that happens.
>
> Documentation and books I've read allude to the abiltiy to secure a single
> folder or page using SSL and the login redirection works. Those same
> documents and books don't say HOW to make it work and we haven't been able
> to either.
>
> Is it even possible to do this? Has anyone here done it successfully?
>
> Scott L.
>
>

[Justin]

I've been trying to figure this out too, without luck. I just work around it
by
redirecting to a relative aspx page from the loginurl in web.config, then
do a response.redirect([url]https://www.host.com/login.aspx[/url]) from that. Messy
but it works

Justin

"Scott" <no_email_at_all> wrote in message
news:uBN4Zln9DHA.2480@TK2MSFTNGP10.phx.gbl...

> Hi,
>
> I've seen this problem posted a few times around the 'net with no answer.
> Hopefully someone here can help.
>
> We have our website configured to use Forms Authentication. We want to
> secure the Login page ONLY using SSL. When a user goes to the site he is
> redirected to the Login page for authentication, but gets an error saying
> the resource is protected and they must use HTTPS:.
>
> That's ugly, since the redirect should be transparent to the user.
>
> When we setup the <forms> tag we have tried using the full path in the
> loginUrl property, including 'httpS://'. When we do this the user doesn't
> get the message about HTTPS, but he DOES get an NT Authentication login
> dialog instead.
>
> Thats even uglier and I'm not even sure why that happens.
>
> Documentation and books I've read allude to the abiltiy to secure a single
> folder or page using SSL and the login redirection works. Those same
> documents and books don't say HOW to make it work and we haven't been able
> to either.
>
> Is it even possible to do this? Has anyone here done it successfully?
>
> Scott L.
>
>