ASP.NET MVC Website Partial SSL Authentication cookie not submitted in request

Question

I'm trying to make a POC of which is possible to have a website that uses http and https. So i have a control in my master page that needs info if the user is authenticated or not. For this I want to use HttpContext.Current.User.Identity.IsAuthenticated. If is authenticated shows info for authenticated users, if not appear the login control.

To authenticate the control make an AJAX POST request to the Login action that has the [RequireHttps] attribute. The URL used in the AJAX request is:

$.ajax({
    type: 'POST',
    url: '@Url.Action("ModalLogIn", "Authentication", null, "https", Request.Url.Host + ":44300")',

By the way I'm using VS2013 IIS express with SSL enabled.

As you can see in my AJAX request i'm using the HTTPS in action url. The request is made to the server using SSL and the response is made with success.

The problem is that in the subsequent requests the ASPXAUTH cookie is not passed in the request header. So the server does not get the user authentication info. The subsequent requests are made with no SSL, are simple HTTP requests.

I know that in security terms the authentication is still insecure because i'm expecting to pass the ASPXAUTH through HTTP, but like I said is a POC and I want to see if it is possible to make a simple authentication request using HTTPS and all the others using HTTP.

As requested this is the Response Headers:

Access-Control-Allow-Orig...    *
Cache-Control   private
Content-Length  15
Content-Type    application/json; charset=utf-8
Date    Sat, 26 Oct 2013 18:57:55 GMT
Server  Microsoft-IIS/8.0
Set-Cookie  ASP.NET_SessionId=j2a53htev0fjp1qq4bnoeo0l; path=/; HttpOnly 
ASP.NET_SessionId=j2a53htev0fjp1qq4bnoeo0l; path=/; HttpOnly 
IAC.CurrentLanguage=en; expires=Sun, 26-Oct-2014 19:57:55 GMT; path=/ 
.ASPXAUTH=730DEDBFD2DF873A5F2BD581AA0E25B685CAD12C26AEA63AD82484C932E26B617687A05BB403216CC5EFCF799970810059F9CA2CF829F953580AF81FF48102003C0129AB04424F0D011A733CAAF1DE00688E5A4C93DEA97338DD2B5E7EE752F3761A470D52449BEBCA74098912DE37AA8C1E293B1C5D44EB1F9E9384DAAEF289; path=/; HttpOnly
    X-AspNet-Version    4.0.30319
    X-AspNetMvc-Version 3.0
X-Powered-By    ASP.NET
X-SourceFiles   =?UTF-8?B?QzpcTXkgRGF0YVxCaXRidWNrZXRcaWFjLXdlYnNpdGVcaW1wbGVtZW50YXRpb25cZG90bmV0XElBQy5XZWJcQXV0aGVudGljYXRpb25cTW9kYWxMb2dJbg==?=

Answer 1

Just a shot in the dark, but try setting the ASPXAUTH cookie with an expiration date.

It's possible that the browser, upon receiving a session cookie, will only present the session cookie on connections using the same protocol (https) as when it was set. I know for sure that persistent cookies do not have this limitation.

Also, investigate whether port could be the issue. If your AJAX goes over 44300 and your web goes over 80 or 443, it's possible the cookie is lost because the browser considers secure cookies to be port-specific. The W3C spec doesn't say whether cookies are private with respect to port; browsers vary.

Answer 2

All things work perfect like that ajax request in HTTPS manner by JS. Related respond works correctly too. But it seems that you have not prepared Login page in SSL too! My meaning is :

[RequireHttps]
public ActionResult Login()
{
   return View();
}

Then Send request to HttpPost enabled Action. I believe that will work correctly. Unless you had some lack of requirements like MicrosoftMvcAjax.js and MicrosoftAjax.js in situations that you are using formal Microsoft ajax form by your ViewEngine (Perhaps by Razor). I think studying this Article can help you more.

Good Luck.

Answer 3

It might be that when you set the auth cookie, it is marked as "Secure".

Using the Chrome Developer Tools, click on 'Resources', then cookies. Under the 'Secure' column check if the cookie is marked. If it is, then this means that the browser will not send the auth cookie using a non-secure connection.