Remove multiple authentication per protocol

1

Hello,

I'm implementing MVC with Asp.Net Identity , however, I'm having some problems ...

Scenario: I'm logging in from the HTTP protocol, everything goes in normally. When I try to access any page with HTTPS protocol, it does not see that I am logged in. But the cookie is there ... I researched what could be and found that Cookie is not specifying the Secure flag.

Objective: I need to authenticate only with a user, I can force HTTPS to log in, but if someone accesses some page through http strong> the system will not see that I am authenticated. How do I view a single authentication in both HTTP and HTTPS ?

Here is my Identity Startup class:

 public partial class Startup
    {
        public void ConfigureAuth(IAppBuilder app)
        {

            app.UseCookieAuthentication(new CookieAuthenticationOptions
            {
                AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
                LoginPath = new PathString("/Account/Login"),
                Provider = new CookieAuthenticationProvider
                {
                    OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
                          validateInterval: TimeSpan.FromSeconds(0),
                          regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
                },
                ExpireTimeSpan = System.TimeSpan.FromDays(100),        
            });
        }
    }

I do not know where to put this configuration (forcing HTTP to see HTTPS authentication in a more general way).

    
asked by anonymous 09.05.2017 / 01:54

1 answer

2

Enter your Global.asax.cs as follows:

void Session_Start(object sender, EventArgs e) 
{
    if (Request.IsSecureConnection)
        Response.Cookies["ASP.NET_SessionID"].Secure = false;
}

So your cookies will be shared between HTTP and HTTPS requests, not just one or the other.

Or, a little more modern, you can set in your Startup.Auth.cs , the following:

app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    ...
    CookieSecure = CookieSecureOption.Never
});

I do not think this configuration is good. The right thing would be for your site to always be on HTTPS, but if it needs to work on both, both ways do.

    
09.05.2017 / 02:08