(FWIW, I've posted this question to my blog as well: http://blog.wolffmyren.com/2011/07/11/ie-protected-mode-ssl/)
Does anyone know how to work around Internet Explorer Protected Mode limitations without requiring the end-user to add our site to the Trusted Sites list?
The problem is that if we enable SSL logins for our site, they can only access SSL pages. IE prevents our non-SSL served pages from accessing the cookie created during the SSL session, so we can either serve everything via SSL (very expensive/resource-intensive), or find some way to set an SSL and non-SSL cookie during the login process.
This MSDN article (What does ielowutil.exe have to do with Internet Explorer 8.0?) has the most relevant information I’ve found yet, but it discusses using Windows APIs, and I’m looking for a solution I can implement with ASP.NET, JavaScript, or some other well-delivered solution.
Update: A friend of mine shared these links, hopefully they'll help:
- http://www.leastprivilege.com/PartiallySSL开发者_StackOverflow中文版SecuredWebAppsWithASPNET.aspx
- Partial SSL in ASP.NET Webforms without changing IIS configuration
It looks like IIS is giving you secure cookies over your HTTPS connection, which is very sensible indeed. These cookies are designed not to be leaked to a plain HTTP connection, hence the result you get.
You could create a secondary, non-secure cookie to pass some authentication information to the HTTP side of your site. However, once you've done this, don't assume that whatever was done or sent during the plain HTTP session was done by the legitimate authenticated user, if at some point you need to go back to HTTPS. It can be OK to pass an authentication token from HTTPS to HTTP, but not the other way. (You'd still be vulnerable to attacks in plain HTTP of course, but this may be an acceptable risk in your application.)
There's more about this problem in this question (what applies to Tomcat would be the same with any web server, including IIS): Tomcat session management - url rewrite and switching from http to https
As Bruno alludes, you should check to see with the SECURE attribute is being set on your cookies (use the F12 developer tools or Fiddler). If it is, you'll see this behavior on ALL browsers.
If not, then the problem is quite likely that you have in the Trusted Zone and http://whatever.com isn't also in the Trusted Zone. If that's your configuration, then yes, Protected Mode is the root cause of the issue, which I've explained much more completely here:
http://blogs.msdn.com/b/ieinternals/archive/2011/03/10/internet-explorer-beware-cookie-sharing-in-cross-zone-scenarios.aspx
精彩评论