« NT Security Classes for .NET | Main | Automating Visual Studio builds »

Details on behavior of forms authentication RequireSSL attribute

Setting RequireSSL to true causes authentication to require that all requests uses https; but it does NOT automatically switch to https when redirecting to the loginUrl page. If you don’t start out using https to access protected pages you are still transferred to the http flavor of your login page but login will not appear to work. What appears to be happening is this: authentication succeeds but does not end up adding a valid authentication cookie to the session (because https isn’t being used), you are redirected to the original protected content page, because there’s no cookie you are re-redirected back to the login page.

Therefore the practical consequence of RequireSSL is not to require SSL for login but rather to require it for all access to protected pages.

It would be nice if you could set forms authentication to force SSL for login and then have the redirectUrl return to the previous access mode (https or http).

See this post for more information.

 

Posted by Tone Engel on May 23, 2004 11:19 AM |

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)