Click here to Skip to main content
65,938 articles
CodeProject is changing. Read more.
Articles / web / ASP.NET

Secure Persistent ASP.NET Forms Authentication

4.00/5 (3 votes)
27 Aug 2008LGPL33 min read 1   534  
An ASP.NET system for having two authentication cookies, one secure and one insecure, to have multiple tiers of security by folder.

Introduction

While the ASP.NET Forms Authentication system is a great system for authentication, it has one significant shortcoming for a lot of situations. You can only restrict it to always pass the authentication cookies in a secure manner, or always pass them even if the connection is not secure. There is no intermediate method of authentication available to you. This means that if you are operating a web store, you have a problem.

Normally, a web store wants the customer identified as soon as they come to the site, and throughout the shopping experience. However, when the user goes to edit their account or checkout, you want to switch them to a secure mode. In order to be secure, the cookie used to authenticate them for checkout must be restricted to SSL connections. This means that to maintain their login, you would have to remain in SSL from the moment they sign in forward, which adds a lot of unnecessary server load. Plus, it can cause headaches with external content you might want to include on your page that isn't encrypted.

The solution is to modify the forms authentication system to use a pair of cookies. One is valid only to identify you, but not access secure functions, doesn't require SSL to be transmitted, and is persistent across sessions. The other is a full authentication, and requires SSL to be transmitted.

Using the code

Add the following to your root web.config file. These sections will probably already exist, you will just add the additional entries to them:

XML
<?xml version="1.0"?>
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
  <configSections>
    <sectionGroup name="partialAuthenticationSystem">
      <section name="authentication" 
        type="PartialAuthenticationSystem.PartialAuthenticationSection, 
              PartialAuthenticationSystem" 
        allowDefinition="MachineToApplication" />
      <section name="authorization" 
        type="PartialAuthenticationSystem.PartialAuthorizationSection, 
              PartialAuthenticationSystem" />
    </sectionGroup>
  </configSections>
  
  <system.web>
    <httpModules>
      <add name="PartialAuthorization" 
        type="PartialAuthenticationSystem.PartialAuthorizationModule,
              PartialAuthenticationSystem" />
      <add name="PartialAuthentication" 
        type="PartialAuthenticationSystem.PartialAuthenticationModule,
              PartialAuthenticationSystem" />
    </httpModules>
  </system.web>
  
  <partialAuthenticationSystem>
    <authentication timeout="172800" name=".ASPXIDENTITY" requireSSL="false" />
    <authorization requireSSL="None" requireLogin="false" />
  </partialAuthenticationSystem>
</configuration>

You must also enable forms authentication in the <authenctication> section under <system.web>, and if you are using SSL, then you will probably set requireSSL to true there as well.

Note that you can customize the settings under <partialAuthenticationSystem> as you see fit. timeout is the timeout for the persistent cookie. The cookie name must be different than the cookie name used for forms authentication.

You can also add the <authorization> section from <partialAuthenticationSystem> to web.config files in subfolders like this:

XML
<?xml version="1.0"?>
<configuration>
  <partialAuthenticationSystem>
    <authorization requireSSL="Required" requireLogin="false" />
  </partialAuthenticationSystem>
</configuration>

You must also change your code to use the PartialAuthentication static class to login and logout, rather than the FormsAuthentication class. This will create or remove both of the necessary cookies. To sign off a user from the secure section but still leave the persistent insecure cookie, use the FormsAuthentication.SignOff method instead. If you are using the standard Login control, just override the LoggedIn event.

Points of interest

Please note that this library is designed for .NET 3.5 and Visual Studio 2008, though it should be easily convertible back to .NET 2.0 if you change the project settings.

History

  • 1.0.1.0 - 5/28/2008 - Fixed problems with HTTP redirection of secure WebResource.axd and ScriptResource.axd requests.
  • 1.0.0.0 - 5/13/2008 - Initial release.
  • 1.0.1.1 - 8/26/2008
    • Fixed bug where PartialAuthentication properties weren't always initialized after application reload
    • Fixed bug where invalid authentication tickets were raising exception instead of ignoring them

License

This article, along with any associated source code and files, is licensed under The GNU Lesser General Public License (LGPLv3)