authCookie not secure in global.asax

Question

I have a login problem.

First i am using SSL while logging.

When i log in, i am creating a cookie like this. when i check if it is secure the answer is yes.

FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(1,                          // version
                                                   UserName.Text,           // user name
                                                   DateTime.Now,               // creation
                                                   DateTime.Now.AddMinutes(60),// Expiration
                                                   false,                      // Persistent 
                                                   role);         // User data

                    // Now encrypt the ticket.
                    string encryptedTicket = FormsAuthentication.Encrypt(authTicket);

                    // Create a cookie and add the encrypted ticket to the
                    // cookie as data.
                    HttpCookie authCookie =
                                 new HttpCookie(FormsAuthentication.FormsCookieName,
                                                encryptedTicket);

                    if (authCookie.Secure)
                    {
                        new GUIUtility().LogMessageToFile("The cookie is secure with SSL.");
                        // Add other required code here.
                    }

                    authCookie.Secure = FormsAuthentication.RequireSSL;

                    // Add the cookie to the outgoing cookies collection.
                    HttpContext.Current.Response.Cookies.Add(authCookie);

                    // Redirect the user to the originally requested page 
                    Response.Redirect(FormsAuthentication.GetRedirectUrl(UserName.Text,false));

then this is redirected to the global.asax page which has this code:

string cookieName = FormsAuthentication.FormsCookieName.ToString();
        HttpCookie authCookie = Context.Request.Cookies[cookieName];

        try
        {
            new GUIUtility().LogMessageToFile(cookieName + authCookie.Secure);
        }
        catch (Exception)
        {
            //
        }

here i get the cookieName as ".ASPXAUTH" and authCookie.Secure value as False. Why is this happening i want the authCookie.Secure value to be true here.

Any suggestions?? thanks

my web config has this:

<authentication mode="Forms">
        <forms loginUrl="Login.aspx" defaultUrl="~/Default.aspx" slidingExpiration="true" timeout="120" path="/" requireSSL="true" protection="All">
        </forms>
    </authentication>
<httpCookies requireSSL="true"/>
    <authorization>
        <deny users="?"/>
        <!--<allow users="*"/>-->
    </authorization>

Answer 1

Restrict the Authentication Cookie-to-HTTPS Connections

Cookies support a "secure" property that determines whether or not browsers should send the cookie back to the server. With the secure property set, the cookie is sent by the browser only to a secure page that is requested using an HTTPS URL.

If you are using .NET Framework version 1.1, set the secure property by using requireSSL="true" on the element as follows:

<forms loginUrl="Secure\Login.aspx"
   requireSSL="true" . . . />

If you are using .NET Framework version 1.0, set the secure property manually in the Application_EndRequest event handler in Global.asax using the following code:

protected void Application_EndRequest(Object sender, EventArgs e) 
 {
string authCookie = FormsAuthentication.FormsCookieName;

foreach (string sCookie in Response.Cookies) 
 {
if (sCookie.Equals(authCookie))
{ 
  // Set the cookie to be secure. Browsers will send the cookie
  // only to pages requested with https
  Response.Cookies[sCookie].Secure = true;
}

} }

so according to me the first option is not working in web config so im doing it manually which is the second option in the code..

Please suggest.

Answer 2

Are you redirecting on log-in to a non-SSL resource? If this is the case, then the cookie you created in the first piece of code shouldn't be used, because it's a secure cookie and hence only applicable to SSL connections (i.e. you explicitly said it shouldn't be sent to non-SSL requests, that's what .Secure does), and hence a new cookie would be created. I would expect it to also not include the ticket value.

In this case, you're going to want to either:

1. Keep with SSL from the point of being logged in.
2. Live with the risk of session stealing (there are further means of mitigating this risk).
3. Use an authentication protocol like Digest or NTLM that allows for challenge-response and for you to more rapidly expire the log-in without the user being pestered (because the browser does the second log-in for you).