CodeProject: Secure Persistent ASP.NET Forms Authentication. Free source code and programming help

Report Article

Discuss

Send to a friend

2 votes for this Article.

Popularity: 1.20 Rating: 4.00 out of 5

Download source - 34.72 KB

Introduction

While the ASP.NET Forms Authentication system is a great system for authentication, it has one significant shortcoming for a lot of situations. You can only restrict it to always pass the authentication cookies in a secure manner, or always pass them even if the connection is not secure. There is no intermediate method of authentication available to you. This means that if you are operating a web store, you have a problem.

Normally, a web store wants the customer identified as soon as they come to the site, and throughout the shopping experience. However, when the user goes to edit their account or checkout, you want to switch them to a secure mode. In order to be secure, the cookie used to authenticate them for checkout must be restricted to SSL connections. This means that to maintain their login, you would have to remain in SSL from the moment they sign in forward, which adds a lot of unnecessary server load. Plus, it can cause headaches with external content you might want to include on your page that isn't encrypted.

The solution is to modify the forms authentication system to use a pair of cookies. One is valid only to identify you, but not access secure functions, doesn't require SSL to be transmitted, and is persistent across sessions. The other is a full authentication, and requires SSL to be transmitted.

Using the code

Add the following to your root web.config file. These sections will probably already exist, you will just add the additional entries to them:

<?xml version="1.0"?>
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
  <configSections>
    <sectionGroup name="partialAuthenticationSystem">
      <section name="authentication" 
        type="PartialAuthenticationSystem.PartialAuthenticationSection, 
              PartialAuthenticationSystem" 
        allowDefinition="MachineToApplication" />
      <section name="authorization" 
        type="PartialAuthenticationSystem.PartialAuthorizationSection, 
              PartialAuthenticationSystem" />
    </sectionGroup>
  </configSections>
  
  <system.web>
    <httpModules>
      <add name="PartialAuthorization" 
        type="PartialAuthenticationSystem.PartialAuthorizationModule,
              PartialAuthenticationSystem" />
      <add name="PartialAuthentication" 
        type="PartialAuthenticationSystem.PartialAuthenticationModule,
              PartialAuthenticationSystem" />
    </httpModules>
  </system.web>
  
  <partialAuthenticationSystem>
    <authentication timeout="172800" name=".ASPXIDENTITY" requireSSL="false" />
    <authorization requireSSL="None" requireLogin="false" />
  </partialAuthenticationSystem>
</configuration>

You must also enable forms authentication in the <authenctication> section under <system.web>, and if you are using SSL, then you will probably set requireSSL to true there as well.

Note that you can customize the settings under <partialAuthenticationSystem> as you see fit. timeout is the timeout for the persistent cookie. The cookie name must be different than the cookie name used for forms authentication.

You can also add the <authorization> section from <partialAuthenticationSystem> to web.config files in subfolders like this:

<?xml version="1.0"?>
<configuration>
  <partialAuthenticationSystem>
    <authorization requireSSL="Required" requireLogin="false" />
  </partialAuthenticationSystem>
</configuration>

You must also change your code to use the PartialAuthentication static class to login and logout, rather than the FormsAuthentication class. This will create or remove both of the necessary cookies. To sign off a user from the secure section but still leave the persistent insecure cookie, use the FormsAuthentication.SignOff method instead. If you are using the standard Login control, just override the LoggedIn event.

Points of interest

Please note that this library is designed for .NET 3.5 and Visual Studio 2008, though it should be easily convertible back to .NET 2.0 if you change the project settings.

History

1.0.1.0 - 5/28/2008 - Fixed problems with HTTP redirection of secure WebResource.axd and ScriptResource.axd requests.
1.0.0.0 - 5/13/2008 - Initial release.
1.0.1.1 - 8/26/2008
- Fixed bug where PartialAuthentication properties weren't always initialized after application reload
- Fixed bug where invalid authentication tickets were raising exception instead of ignoring them

License

This article, along with any associated source code and files, is licensed under The GNU Lesser General Public License

About the Author

BrantBurnett

Occupation:	Software Developer (Senior)
Company:	Pathfinder Software
Location:	United States

Other popular Web Security articles:

Role-based Security with Forms Authentication
Provides insight and tips on using role-based (groups) Forms Authentication in ASP.NET, which has only partial support for roles.
Switching Between HTTP and HTTPS Automatically: Version 2
An article on automatically switching between HTTP and HTTPS protocols without hard-coding absolute URLs
Cookieless ASP.NET forms authentication
They say it is not possible to use cookieless forms authentication in .NET. Well it is, and relatively easy to accomplish!
Single sign-on across multiple applications in ASP.NET
By default, Forms authentication does not support single sing-on accross multiple applications. But is not too complicated to tweak it the appropriate way.
HttpSecureCookie, A Way to Encrypt Cookies with ASP.NET 2.0
Discussing how to encode and tamper-proof text and cookies using the MachineKey, by using reflection.