CODEWITHSUNDEEP
asp.netasp.net-mvcauthenticationsslasp.net-mvc-5
nVentimiglia
nVentimiglia

Reputation: 1908

MVC5 User not authenticated under http

User is not recognized as authenticated from http requested pages.

I recently installed ssl on my website. On my master page I display the users name if they are authenticated. I noticed that when I navigate to the page using http I am always signed off. When I then navigate to the sign in page I am instantly recognized correctly. Its as if my website can only read the authentication cookie from https requests.

I am using a ASP.Net MVC 5. I am using the (mostly) default Owins authentication stack.

Is this normal behavior ? Is there anything I can do to recognize my users under non ssl http requests ?

Upvotes: 2

Views: 1150

Answers (1)

Emran Hussain
Emran Hussain

Reputation: 12089

The details can be found in this page: http://brockallen.com/2013/10/24/a-primer-on-owin-cookie-authentication-middleware-for-the-asp-net-developer/

I have copied a part of the text from this page here:

=====================================================================

By default (presumably for simplicity and ease of development) the cookie is only issued with the secure flag (i.e. require SSL) if the incoming request is SSL. This is an important setting to change when you release your application to production. This setting is configured with an enum:

public enum CookieSecureOption
{
   SameAsRequest,
   Never,
   Always
}

and would be done with this configuration change (notice the CookieSecure flag):

public void ConfigureAuth(IAppBuilder app)
{
   app.UseCookieAuthentication(new CookieAuthenticationOptions
   {
      AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
      LoginPath = new PathString("/Account/Login"),
      CookieSecure = CookieSecureOption.Always
   });
}

=================================

I have copied the Documentation of this CookieSecure property as follows:

Determines if the cookie should only be transmitted on HTTPS request. The default is to limit the cookie to HTTPS requests if the page which is doing the SignIn is also HTTPS. If you have an HTTPS sign in page and portions of your site are HTTP you may need to change this value.

So, I changed the value of CookieSecure to CookieSecure = CookieSecureOption.Never and that solved my problem.

Upvotes: 4

Related Questions