Secure Forms Authentication behind Proxy
https://stackoverflow.com/questions/6377134
-
28-10-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
We use Stunnel (to strip out SSL) and HAProxy on our Load Balancer - which then sends on requests to IIS via HTTP.
The problem we have is we want our sites (ASP.NET) to set cookies in a secure fashion - i.e. by setting the requireSSL attribute to true.
When we set this attribute and make a HTTPS request to the site, we get this error:
The application is configured to issue secure cookies. These cookies require the browser to issue the request over SSL (https protocol). However, the current request is not over SSL.
Is it possible to trust the webserver if the the request is coming over SSL from the load balancer? Or is this a non-problem as it is ONLY possible to access our site via SSL (only 443 is open)?
Solution
Instead of this:
FormsAuthentication.SetAuthCookie(email, false);
try this:
var cookie = FormsAuthentication.GetAuthCookie(email, false);
cookie.Secure = true;
HttpContext.Current.Response.Cookies.Add(cookie);
If you are using ASP.NET MVC, you could also use a global action filter which sets the secure flag on all cookies in the response
OTHER TIPS
For ASP.NET MVC 3 users - which we are, you can also handle this with the following GlobalFilter that I've put together - which can then secure any cookie sent back:-
namespace MyNamespace
{
public class SecureCookiesAttribute : FilterAttribute, IResultFilter
{
public void OnResultExecuting(ResultExecutingContext filterContext)
{
foreach (string cookieName in filterContext.HttpContext.Response.Cookies.AllKeys)
filterContext.HttpContext.Response.Cookies[cookieName].HttpOnly = true;
if (filterContext.HttpContext.Request.IsLocal)
return;
foreach (string cookieName in filterContext.HttpContext.Response.Cookies.AllKeys)
filterContext.HttpContext.Response.Cookies[cookieName].Secure = true;
}
public void OnResultExecuted(ResultExecutedContext filterContext) { }
}
}
This will set the HTTPOnly flag on any cookie regardless, then if the request is from a non-local source it will also set the secure flag. This allows for us to do local debugging over HTTP rather than HTTPS (but you can simply remove this check if everything you do is over HTTPS).
