Menu
I am in the situation where the site I am working on, the manager wants to allow the user to log in and not worry if they logged in through http or https. Based on another SO question (how can I share an asp.net session between http and https) I thought this would be possible if I set secure = false on the cookie. To add to this, we use a subdomain for the secure part of the site. So for http we use site.com, while https uses secure.site.com. So I tried setting the domain for the authentication in the web.config.
<authentication mode="Forms">
<forms loginUrl="/account/login"
protection="All" timeout="30" name=".ASPXAUTH" path="/"
requireSSL="false" slidingExpiration="true" defaultUrl="/"
cookieless="UseDeviceProfile" domain="site.com"
enableCrossAppRedirects="false" />
</authentication>
Am I doing this all wrong? I understand there are some security concerns and I was going to address them when a request is made. I just want to allow the user to log in once and be remembered across http and https. Thanks.
972
I think you have wrong domain in your web.config. You should change it to
domain=".site.com"
So you're allowing your forms auth cookie to live both on ssl.site.com and no-ssl.site.com domain for example.
All that being said any kind of security starts with https:// over all your solution - otherwise you're open into man-in-the-middle attacks (web proxy can inject inappropriate content into your solution, they can steal your authorization cookie & use it in flow on https://ssl.site.com etc.
61
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
