Remove multiple protocol authentication

Asked

Viewed 44 times

1

Hello,

I am implementing the MVC with Asp.Net Identity, however, I’m having some problems...

Setting: I’m logging in from protocol HTTP, everything enters normally. When I try to access any page with HTTPS protocol, it does not see that I am logged in. However, the cookie authentication is there... I searched what it could be and discovered that Cookie is not specifying Flag Secure.

Goal: I need to authenticate myself with only one user, I can force the HTTPS at the time of logging in, but if someone access a page by HTTP the system will not see that I am authenticated. How do I see a single authentication both in the HTTP and in the HTTPS ?

Here’s my Identity Startup class:

 public partial class Startup
    {
        public void ConfigureAuth(IAppBuilder app)
        {

            app.UseCookieAuthentication(new CookieAuthenticationOptions
            {
                AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
                LoginPath = new PathString("/Account/Login"),
                Provider = new CookieAuthenticationProvider
                {
                    OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
                          validateInterval: TimeSpan.FromSeconds(0),
                          regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
                },
                ExpireTimeSpan = System.TimeSpan.FromDays(100),        
            });
        }
    }

I don’t know where to put this configuration (force HTTP to see HTTPS authentication in a more generic way).

c# asp.net-mvc asp.net-identity https

1 answer

2


Insert in your Global.asax.cs the following:

void Session_Start(object sender, EventArgs e) 
{
    if (Request.IsSecureConnection)
        Response.Cookies["ASP.NET_SessionID"].Secure = false;
}

Thus, their cookies will be shared between HTTP and HTTPS requests, not just one or the other.

Or, a little more modern, you can set in your Startup.Auth.cs, the following:

app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    ...
    CookieSecure = CookieSecureOption.Never
});

I don’t think it’s a good setup. The right thing would be for your site to always be on HTTPS, but if you need it to work on both, the two ways suit.

  • 1

    Thanks, I was already getting a headache trying to find this configuration.

  • 1

    It was giving problems in the localhost. I checked and it generated the Identity authentication cookie without Flag Secure, but it did not see in both cases. I tested through the external server and it worked properly. I don’t know if it was a specific setup of my Local IIS that ended up coming into conflict. Thanks for the help.

Browser other questions tagged c# asp.net-mvc asp.net-identity https

You are not signed in. Login or sign up in order to post.