开发者

Secure Forms Authentication behind Proxy

开发者 https://www.devze.com 2023-03-13 07:45 出处:网络
We use Stunnel (to strip out SSL) and HAProxy on our Load Balancer - which then sends on requests to IIS via HTTP.

We use Stunnel (to strip out SSL) and HAProxy on our Load Balancer - which then sends on requests to IIS via HTTP.

The problem we have is we want our sites (ASP.NET) to set cookies in a secure fashion - i.e. by setting the requireSSL attribute to true.

When we set this attribute and make a HTTPS request to the site, we get this error:

The application is configured to issue secure cookies. These cookies require the browser to issue the request over SSL (https protocol). However, the current request is not over SSL.

Is it possible to trust the webserver if the the request is coming over SSL from the load balancer? Or 开发者_JS百科is this a non-problem as it is ONLY possible to access our site via SSL (only 443 is open)?


Instead of this:

FormsAuthentication.SetAuthCookie(email, false);

try this:

var cookie = FormsAuthentication.GetAuthCookie(email, false);
cookie.Secure = true;
HttpContext.Current.Response.Cookies.Add(cookie);

If you are using ASP.NET MVC, you could also use a global action filter which sets the secure flag on all cookies in the response


For ASP.NET MVC 3 users - which we are, you can also handle this with the following GlobalFilter that I've put together - which can then secure any cookie sent back:-

namespace MyNamespace
{
    public class SecureCookiesAttribute : FilterAttribute, IResultFilter
    {
        public void OnResultExecuting(ResultExecutingContext filterContext)
        {
            foreach (string cookieName in filterContext.HttpContext.Response.Cookies.AllKeys)
                filterContext.HttpContext.Response.Cookies[cookieName].HttpOnly = true;

            if (filterContext.HttpContext.Request.IsLocal)
                return;

            foreach (string cookieName in filterContext.HttpContext.Response.Cookies.AllKeys)
                filterContext.HttpContext.Response.Cookies[cookieName].Secure = true;
        }

        public void OnResultExecuted(ResultExecutedContext filterContext) { }
    }
}

This will set the HTTPOnly flag on any cookie regardless, then if the request is from a non-local source it will also set the secure flag. This allows for us to do local debugging over HTTP rather than HTTPS (but you can simply remove this check if everything you do is over HTTPS).

0

精彩评论

暂无评论...
验证码 换一张
取 消