secure pages lose authentication, is there a work-around?

Some pages on the site have to be run under a secure certificate. Of
course as soon as I go from a 'normal' page to a secure one
(http://jazz.aspappdev.com/ -->
https://secure.web-services.org/jazz/) I loose the cookie, the
authentication and everything because I am acutally changing sites
(just to let you know that I know that)

Am I going to have to write my own routines to authenticate ... I've solved this before 2.0 with carring things around in a querystring ... and of course this still works. But is there a way to retain authentication between the two states (unauthenticated and authenticated) without dragging a querystring around and/or 'rolling my own?'

TIA

Lynda

0
LyndaPostal
6/17/2005 12:17:18 PM
asp.net.security 27051 articles. 1 followers. Follow

6 Replies
647 Views

Similar Articles

[PageSpeed] 5

There isn't anything that will automatically solve the cross-domain problem you are seeing.  In ASP.NET 2.0 there is better support for passing forms authentication tickets between different DNS domains though - if you set "enableCrossAppRedirects" to "true" in the <forms /> configuration element, then you can pass the string representation of a forms authentication ticket around on the query string from one application to another.  As long as the query-string variable has the same name as the forms authentication cookie, then in the second application the FormsAuthenticationModule will detect the presents of the ticket in the query-string and it will automatically convert it back into a forms authentication cookie.
-Stefan
----------------------------------------------------------
This posting is provided "AS IS" with no warranties, and confers no rights.
0
sschack
6/20/2005 8:18:55 PM
I am having the same problem. I changed the enableCrossAppRedirects to true, but I don't understand how to do the rest. How do I attach the forms authentication ticket  to a query string? My users navigate to a secure page from the menu feature, thus I will need to attach the string in my sitemap file.
0
cb3431
11/17/2005 2:07:38 AM

You can pass a forms authentication ticket on the query-string with code that looks like the following:

            FormsAuthenticationTicket ft = new FormsAuthenticationTicket(
                2, //version
                txtUserId.Text,  //the username
                DateTime.Now,
                DateTime.Now.AddMinutes(30),  //Use the appropriate expiration time
                false,  //is persistent
                String.Empty,  //UserData
                "/" /*cookiePath*/);

            string encryptedTicket = FormsAuthentication.Encrypt(ft);

            Response.Redirect("default.aspx?" + FormsAuthentication.FormsCookieName + "=" + encryptedTicket);


-Stefan
----------------------------------------------------------
This posting is provided "AS IS" with no warranties, and confers no rights.
0
sschack
11/17/2005 8:04:14 PM
Thank you for responding.

I tried doing the url in my sitemap file like this

<code>
<
siteMapNode title="Client Management"

url="/Staff/UserMgmt.aspx? + FormsAuthentication.FormsCookieName + = + encryptedTicket"

description="Add or modify client information"

roles="Admin,Staff" />
</code>

but it gives me The 'url' property had a malformed URL:

I placed the rest of the code on my masterpage in the code behind file.
Any help is greatly appreciated.

0
cb3431
11/18/2005 4:33:29 AM
The sitemap can't handle any kind of programming code in URLs - that's why you need to programmatically issue the redirect with the forms auth cookie on the query string.  Think of the <siteMapNode> as being statically defined in the XML - there isn't a way to mark it up the way you can intersperse code and markup in an .aspx page.

I think you could just keep the <siteMapNodes/> defined with regular URLs, and handle the login logic with a login.aspx.  If someone selects a node in a Menu or a Treeview, and the custom authentication logic rejects them, they would just need to login with different credentials.  At which point they would get redirected back to their desired page, and the ticket would be in the querystring. Assuming that the authentication mode on the site is forms authentication, the FormsAuthenticationModule has logic to automatically convert a ticket in the query-string into a forms authentication cookie.  So after the redirect from the login page Forms Authentication will detect the ticket in the querystring and turn it into a cookie for you.
-Stefan
----------------------------------------------------------
This posting is provided "AS IS" with no warranties, and confers no rights.
0
sschack
11/18/2005 6:08:38 PM
Is this the best practice? Seems like my users would find it irritating having to login when ever they try and access a secure page.
0
cb3431
11/21/2005 4:55:35 PM
Reply:

Similar Artilces:

Secure page to Secure page
Name: Jonathan Email: jbeldonatopenwaterloansdotcom Product: Firefox Release Candidate Summary: Secure page to Secure page Comments: I have had several crashes going from a secure page to another secure page. The response I often get is that the page does not exist. This only seems to occur on secure pages. Browser Details: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9b4) Gecko/2008030714 Firefox/3.0b4 From URL: http://hendrix.mozilla.org/ ...

Redirect to a page secured by basic authentication from a non-secure page?
Hello,I am working on an ASP.NET 2.0 webapp which is secured via our own mechanism which is similar to forms based security.  Thus, the web application itself has anonymous authentication enabled.However, our help site, a straight html app that is low sensitivity, but sensitive enough that we want to prevent the casual browser from viewing it, is secured via Basic Authentication.The question is, is there some way by which our main application can perform a redirect or transfer to the help site w/out prompting the user for credentials? Basically, what happens is that ther...

when is secure, secure?
Lo everyone, I wrote a custom authentication handler for PureFTPD, using a combination of authentication methods, for about 4 different types of users. So far, from testing it, it does look to work properly, and does it's job pretty well (and fast). I use #!/usr/bin/perl -W as well as use Strict, and use warnings, and the code returns no errors or warnings when run. I am right to presume that this basically only really tells me the my syntax and structure of the application is right? What's a good way to see whether it is actually SECURE... There is a couple of lines of...

security too secure
Name: joe Product: Firefox Summary: security too secure Comments: The security thing won't let me in this sight no matter how I accept, confirm, get certificate, etc. https://www.vtext.com/customer_site/jsp/messaging_lo.jsp Browser Details: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; en-GB; rv:1.9.1b4) Gecko/20090423 Firefox/3.5b4 From URL: http://hendrix.mozilla.org/ Note to readers: Hendrix gives no expectation of a response to this feedback but if you wish to provide one you must BCC (not CC) the sender for them to see it. ...

How secure is secure?
Thanks to this group and all the high tech individuals who frequent it I have learned how to protect my PC from the inside out. But what about security risks to my info 'before' it gets to my computer? Like my mail box on the server. Could someone hack into that and thumb through my mail? If so, how would I ever know? (The short story) We have a rogue employee at my work who one day decided to run the web site, she got in tight with the ISP, got tools to set and delete passwords on a protected directory on the server. Who knows if she has telnet access to other things, li...

Need help working around .NET security
I have problems with .NET security blocking the network programs I create.  If I use caspol to give full trust to the internet zone, then everything works fine.  I know I can use the Strong Name utility to create a strong name and add it to all my assemblies, but I would like an easier way.  Is it possible to disable .net security within my program and then re-enable it before closing the program?  I'm the network admin and I run apps that fix problems, or change account passwords, etc.  I have been told that some people will create an application in a non-.net p...

Securing the urls to the secure pages
I write in the address bar: localhost/MyWebsite/Admin/securepage.aspx And I am able to see it. It there anyway that I can make this folder "Admin" secure. HighOnCodingWanna get high! Use forms authentication and don't allow annonymous access to that folder. This can easily be done by making few changes in web.config file Hope this helps Sunny NAGIProper Preparation Prevents Poor PerformanceDont forget to click "Mark as Answer" on the post that helped you....

Trouble with custom error page when using secure and non-secure pages
Hi.I have an application which requires a secure channel for just certain pages.  I was able to do this selectively in IIS with no problem, except that the (non-secure) custom error page I defined in my web.config no longer works.    It wants me to authenticate (even though these pages are set to allow anonymous access), after which I'll get  an HTTP 401.2 error: "You do not have permission to view this directory or page using the credentials that you supplied because your Web browser is sending a WWW-Authenticate header field that the Web server is not configur...

Mixing Non-Secure + Secure Pages??
Back in November I was describing a problem I was having when switching my application from non-secure mode to secure mode. I finally had a chance to look into the problem and discovered what is causing my problem! My IW application has 8 pages (forms) and the first 6 need to be in non-secure mode. The last two require secure mode. In IW10, I could accomplish this my just calling: WebApplication->SwitchToSecure() from a non-secure page and then show my page requiring secure mode. In IW 12, this DOES NOT WORK!! What happens is IW starts a new session. If I start my session in se...

secure and not secure IE page errors
--____BGXPEBXXQTCXYCXVWDWQ____ Content-Type: text/plain; charset=iso-8859-15 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline; modification-date="Wed, 12 Feb 2008 06:46:16 -0700" We have the user app running SSL with a thawte certificate and have had no = problems until we started doing workflows, etc. IE throws mixed content errors (this page contains secure and not secure) = when clicking on anything under the Requests & Approvals tab. In fact just = clicking on the Requests & Approvals tab throws the error. Firefox works = fine! H...

security message("page contains secure and non secure items") coming on https: site
Hi we have developed a site and url of that site begins with https . Now everwhever page loads it gives a security message that " page contains secure and non secure items'. We donot want this message to come on our site. I read a few articles saying that my image should come from relative path or I should use css classes for images or there should not be any http url in my page. I have implemented these solutions also but still my page is giving this security message.   If any body could tell me how to avoid this message.   A lot of thanks in advance..  ...

how secured pages work ???
 Hi,     i found some typical behaviour of some of the secured sites like those of banking and credit card sites.     In such sites when back button of browser is clicked it shows a custom error page and back only works     from a back button explicitly provided on page.   How is that possible ????????   Can anyone guide me in creating such secured pages ????  Thanx in advance As long as your clients use javascript I have an off-the-cuff idea.  Send the page with a uniquely generated request id in a hidden fie...

Authentication and secured pages
 Hello, I'm working on a an ASP .NET C# web site, it will be my first one :)Could someone helps me, I m looking for an example of code or a tutorial of an authentication form,  then secured pages and a disconnect button on each one these pages,These pages are not accessible of course without authentication, --> I mean something like authentication with sessions and cookies in PHP. Thankyou very much! ASPNET provides FormsAuthentication which is a framework that will allow access to the sites once the user authenticates and access is further denied based on assigned r...

What are the best practices for using master pages on websites that serve both secure and non-secure pages?
I have been assigned a task to cleanup an application that is using a master page that is shared by all pages (secure and non-secure). Secure pages are stored in a sub folder "/Secure"  They have used a mix of relative and absolute urls and paths on the master page, and all absolute urls use http (not https). That is causing the secure pages to display the "this page contains both secure and on-secure items..." They have also copied most all images to a folder inside "/Secure" so that the reliave image paths on the master page keep working wither th...

Web resources about - secure pages lose authentication, is there a work-around? - asp.net.security

Authentication - Wikipedia, the free encyclopedia
Authentication (from Greek : αὐθεντικός authentikos , "real, genuine," from αὐθέντης authentes , "author") is the act of confirming the truth ...

New Tools to Optimize App Authentication
At f8, we announced a redesigned Auth Dialog and a new authentication flow to give developers more control over people’s first experience with ...

Facebook Tells Some Developers They Have 48 Hours to Fix Authentication Data Leaks
... sent an email to what it calls a “very small percentage of the developer community” informing them their apps are suspected of leaking authentication ...

Lockdown - A better two-factor authentication experience on the App Store on iTunes
Get Lockdown - A better two-factor authentication experience on the App Store. See screenshots and ratings, and read customer reviews.


Sony Authentication Power Outlet Recognizes Users and Devices #DigInfo - YouTube
Sony Authentication Power Outlet Recognizes Users and Devices DigInfo TV - http://diginfo.tv 9/3/2012 NFC & Smart WORLD 2012 Sony Authentication ...

SafeNet brings Cloud-based authentication service to A/NZ
SafeNet has released its new Cloud-based authentication service, billed as Authentication-as-a-Service, in A/NZ.

Two-factor authentication - cyber security -
Two recent hacking cases highlight how personal emails can impact overall business security through tiny weaknesses.

Digital authentication to become Google's next big focus
Streamlining the website login process a top priority, according to the company’s Australian business and consumer services manager Dan Metcalf. ...

ATO boosts service access via app and voice authentication
The ATO has announced it will extend its voice authentication system to its mobile app

Resources last updated: 12/8/2015 6:50:39 AM