Introduction
While the ASP.NET Forms Authentication system is a great system for authentication, it has one significant shortcoming for a lot of situations. You can only restrict it to always pass the authentication cookies in a secure manner, or always pass them even if the connection is not secure. There is no intermediate method of authentication available to you. This means that if you are operating a web store, you have a problem.
Normally, a web store wants the customer identified as soon as they come to the site, and throughout the shopping experience. However, when the user goes to edit their account or checkout, you want to switch them to a secure mode. In order to be secure, the cookie used to authenticate them for checkout must be restricted to SSL connections. This means that to maintain their login, you would have to remain in SSL from the moment they sign in forward, which adds a lot of unnecessary server load. Plus, it can cause headaches with external content you might want to include on your page that isn't encrypted.
The solution is to modify the forms authentication system to use a pair of cookies. One is valid only to identify you, but not access secure functions, doesn't require SSL to be transmitted, and is persistent across sessions. The other is a full authentication, and requires SSL to be transmitted.
Using the code
Add the following to your root web.config file. These sections will probably already exist, you will just add the additional entries to them:
="1.0"
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
<configSections>
<sectionGroup name="partialAuthenticationSystem">
<section name="authentication"
type="PartialAuthenticationSystem.PartialAuthenticationSection,
PartialAuthenticationSystem"
allowDefinition="MachineToApplication" />
<section name="authorization"
type="PartialAuthenticationSystem.PartialAuthorizationSection,
PartialAuthenticationSystem" />
</sectionGroup>
</configSections>
<system.web>
<httpModules>
<add name="PartialAuthorization"
type="PartialAuthenticationSystem.PartialAuthorizationModule,
PartialAuthenticationSystem" />
<add name="PartialAuthentication"
type="PartialAuthenticationSystem.PartialAuthenticationModule,
PartialAuthenticationSystem" />
</httpModules>
</system.web>
<partialAuthenticationSystem>
<authentication timeout="172800" name=".ASPXIDENTITY" requireSSL="false" />
<authorization requireSSL="None" requireLogin="false" />
</partialAuthenticationSystem>
</configuration>
You must also enable forms authentication in the <authenctication>
section under <system.web>
, and if you are using SSL, then you will probably set requireSSL
to true
there as well.
Note that you can customize the settings under <partialAuthenticationSystem>
as you see fit. timeout
is the timeout for the persistent cookie. The cookie name must be different than the cookie name used for forms authentication.
You can also add the <authorization>
section from <partialAuthenticationSystem>
to web.config files in subfolders like this:
="1.0"
<configuration>
<partialAuthenticationSystem>
<authorization requireSSL="Required" requireLogin="false" />
</partialAuthenticationSystem>
</configuration>
You must also change your code to use the PartialAuthentication
static class to login and logout, rather than the FormsAuthentication
class. This will create or remove both of the necessary cookies. To sign off a user from the secure section but still leave the persistent insecure cookie, use the FormsAuthentication.SignOff
method instead. If you are using the standard Login control, just override the LoggedIn
event.
Points of interest
Please note that this library is designed for .NET 3.5 and Visual Studio 2008, though it should be easily convertible back to .NET 2.0 if you change the project settings.
History
- 1.0.1.0 - 5/28/2008 - Fixed problems with HTTP redirection of secure WebResource.axd and ScriptResource.axd requests.
- 1.0.0.0 - 5/13/2008 - Initial release.
- 1.0.1.1 - 8/26/2008
- Fixed bug where
PartialAuthentication
properties weren't always initialized after application reload - Fixed bug where invalid authentication tickets were raising exception instead of ignoring them