5

I am in the situation where the site I am working on, the manager wants to allow the user to log in and not worry if they logged in through http or https. Based on another SO question (how can I share an asp.net session between http and https) I thought this would be possible if I set secure = false on the cookie. To add to this, we use a subdomain for the secure part of the site. So for http we use site.com, while https uses secure.site.com. So I tried setting the domain for the authentication in the web.config.

<authentication mode="Forms">   
  <forms loginUrl="/account/login"
    protection="All" timeout="30" name=".ASPXAUTH" path="/"
    requireSSL="false" slidingExpiration="true" defaultUrl="/"
    cookieless="UseDeviceProfile" domain="site.com"
    enableCrossAppRedirects="false" /> 
</authentication>

Am I doing this all wrong? I understand there are some security concerns and I was going to address them when a request is made. I just want to allow the user to log in once and be remembered across http and https. Thanks.

Community
  • 1
  • 1
Wade73
  • 4,359
  • 3
  • 30
  • 46
  • 3
    Just redirect everything to https, problem solved. – mxmissile Jul 13 '16 at 17:11
  • I felt the same way, but the manager doesn't want it that way. – Wade73 Jul 13 '16 at 17:47
  • 1
    Sounds like a situation to [say no](https://sites.google.com/site/unclebobconsultingllc/blogs-by-robert-martin/saying-no). Our industry considers sharing traffic between secure and insecure channels to be a bad thing and so tries to make it impossible, or at least difficult. Your own instinct says, "just use secure channel for everything then." It would be unprofessional of you to spend your valuable time building a work around best practices. – Will Jul 22 '16 at 15:53
  • Are secured and unsecured pointing to the same site (1 web.config) or 2 sites each with their own web.config? – atjoedonahue Jul 23 '16 at 19:15
  • Same site, 1 web.config – Wade73 Jul 24 '16 at 00:35
  • @Wade73 - in IIS do you have it configured as one site with two bindings or as two sites, each with its own binding pointing to same directory ? – Ondrej Svejdar Jul 25 '16 at 04:01
  • @OndrejSvejdar One site with two bindings. – Wade73 Jul 25 '16 at 11:07

1 Answers1

2

I think you have wrong domain in your web.config. You should change it to

domain=".site.com"

So you're allowing your forms auth cookie to live both on ssl.site.com and no-ssl.site.com domain for example.

All that being said any kind of security starts with https:// over all your solution - otherwise you're open into man-in-the-middle attacks (web proxy can inject inappropriate content into your solution, they can steal your authorization cookie & use it in flow on https://ssl.site.com etc.

Ondrej Svejdar
  • 21,349
  • 5
  • 54
  • 89
  • I have used both .site.com and site.com, since both show in examples I have seen, but with no luck. It doesn't seem to recognize the auth cookie when I set the domain on the cookie. – Wade73 Jul 24 '16 at 20:44