Unsecure posting back from an asp.net control on a secure page while avoiding authentication

Question

We are using standard asp.net forms authentication. Certain pages require a user to be logged in; and least some of these pages are delivered by https. There is a search control at the top of each page. When this is used, we don't care whether the user's session has expired, even if the current page requires a log in.

However, currently, when performing the search, the built-in forms authentication sees that the page being posted to requires authentication and redirects the user to the login page, with the previous page, not the search results page as the referrer.

What is the best way of bypassing the security here? I have considered posting to a different page using the PostBackUrl property, but if this is not https you get the "you are posting data to an unsecure connection" message, which users don't like.

Thanks for any help.

Edit: thanks Nick for your suggestion of using a GET on the search page. We are doing this already, but the query string is constructed by the search input control then redirects. How can we build up the query string without using a postback? (Obviously javascript is an option but I was hoping to find an alternative mechanism.)

Answer 1

For the search page you want to make sure the search is happening via a GET request. (i.e. like google with the "q" in the query string) Chances are you are doing a POST.

So change your

<form method="post" ...>

to

<form method="get" ...>

The biggest mistake most developers make with search pages is to do a post back. HTTP was designed to do queries or searches through the query string (thus the name), and to get a form to post to a query string instead of the body you need to use a "GET" method. This way any search device can use your search page, even the browsers search box.

Second you want to create a special location config for you search page. You add this to your web.config.

<location path="my-search-page.aspx">
    <system.web>
        <authorization>
            <allow users="*" />
        </authorization>
    </system.web>
</location>

This creates a special override for that one page and everything inside the location tag uses the exact same web.config structure to override the web.config.

You will want to repeat this for each page you want to allow all users to.