Remove multiple authentication per protocol

Question

Remove multiple authentication per protocol

Navigation

#1 by (2 votes)

1

Hello,

I'm implementing MVC with Asp.Net Identity , however, I'm having some problems ...

Scenario: I'm logging in from the HTTP protocol, everything goes in normally. When I try to access any page with HTTPS protocol, it does not see that I am logged in. But the cookie is there ... I researched what could be and found that Cookie is not specifying the Secure flag.

Objective: I need to authenticate only with a user, I can force HTTPS to log in, but if someone accesses some page through http strong> the system will not see that I am authenticated. How do I view a single authentication in both HTTP and HTTPS ?

Here is my Identity Startup class:

 public partial class Startup
    {
        public void ConfigureAuth(IAppBuilder app)
        {

            app.UseCookieAuthentication(new CookieAuthenticationOptions
            {
                AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
                LoginPath = new PathString("/Account/Login"),
                Provider = new CookieAuthenticationProvider
                {
                    OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
                          validateInterval: TimeSpan.FromSeconds(0),
                          regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
                },
                ExpireTimeSpan = System.TimeSpan.FromDays(100),        
            });
        }
    }

I do not know where to put this configuration (forcing HTTP to see HTTPS authentication in a more general way).

c# https asp.net-mvc asp.net-identity

asked by anonymous 09.05.2017 / 01:54

1 answer

Improvements in dynamic content How to use random script

score 2 · Accepted Answer

Enter your Global.asax.cs as follows:

void Session_Start(object sender, EventArgs e) 
{
    if (Request.IsSecureConnection)
        Response.Cookies["ASP.NET_SessionID"].Secure = false;
}

So your cookies will be shared between HTTP and HTTPS requests, not just one or the other.

Or, a little more modern, you can set in your Startup.Auth.cs , the following:

app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    ...
    CookieSecure = CookieSecureOption.Never
});

I do not think this configuration is good. The right thing would be for your site to always be on HTTPS, but if it needs to work on both, both ways do.