Email Password Remember me?  Lost your password?

• Download source - 34.72 KB

Introduction

While the ASP.NET Forms Authentication system is a great system for authentication, it has one significant shortcoming for a lot of situations. You can only restrict it to always pass the authentication cookies in a secure manner, or always pass them even if the connection is not secure. There is no intermediate method of authentication available to you. This means that if you are operating a web store, you have a problem.

Normally, a web store wants the customer identified as soon as they come to the site, and throughout the shopping experience. However, when the user goes to edit their account or checkout, you want to switch them to a secure mode. In order to be secure, the cookie used to authenticate them for checkout must be restricted to SSL connections. This means that to maintain their login, you would have to remain in SSL from the moment they sign in forward, which adds a lot of unnecessary server load. Plus, it can cause headaches with external content you might want to include on your page that isn't encrypted.

The solution is to modify the forms authentication system to use a pair of cookies. One is valid only to identify you, but not access secure functions, doesn't require SSL to be transmitted, and is persistent across sessions. The other is a full authentication, and requires SSL to be transmitted.

Using the code

Add the following to your root web.config file. These sections will probably already exist, you will just add the additional entries to them:

<?xml version="1.0"?>
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
  <configSections>
    <sectionGroup name="partialAuthenticationSystem">
      <section name="authentication" 
        type="PartialAuthenticationSystem.PartialAuthenticationSection, 
              PartialAuthenticationSystem" 
        allowDefinition="MachineToApplication" />
      <section name="authorization" 
        type="PartialAuthenticationSystem.PartialAuthorizationSection, 
              PartialAuthenticationSystem" />
    </sectionGroup>
  </configSections>
  
  <system.web>
    <httpModules>
      <add name="PartialAuthorization" 
        type="PartialAuthenticationSystem.PartialAuthorizationModule,
              PartialAuthenticationSystem" />
      <add name="PartialAuthentication" 
        type="PartialAuthenticationSystem.PartialAuthenticationModule,
              PartialAuthenticationSystem" />
    </httpModules>
  </system.web>
  
  <partialAuthenticationSystem>
    <authentication timeout="172800" name=".ASPXIDENTITY" requireSSL="false" />
    <authorization requireSSL="None" requireLogin="false" />
  </partialAuthenticationSystem>
</configuration>

You must also enable forms authentication in the <authenctication> section under <system.web>, and if you are using SSL, then you will probably set requireSSL to true there as well.

Note that you can customize the settings under <partialAuthenticationSystem> as you see fit. timeout is the timeout for the persistent cookie. The cookie name must be different than the cookie name used for forms authentication.

You can also add the <authorization> section from <partialAuthenticationSystem> to web.config files in subfolders like this:

<?xml version="1.0"?>
<configuration>
  <partialAuthenticationSystem>
    <authorization requireSSL="Required" requireLogin="false" />
  </partialAuthenticationSystem>
</configuration>

You must also change your code to use the PartialAuthentication static class to login and logout, rather than the FormsAuthentication class. This will create or remove both of the necessary cookies. To sign off a user from the secure section but still leave the persistent insecure cookie, use the FormsAuthentication.SignOff method instead. If you are using the standard Login control, just override the LoggedIn event.

Points of interest

Please note that this library is designed for .NET 3.5 and Visual Studio 2008, though it should be easily convertible back to .NET 2.0 if you change the project settings.

History

• 1.0.1.0 - 5/28/2008 - Fixed problems with HTTP redirection of secure WebResource.axd and ScriptResource.axd requests.
• 1.0.0.0 - 5/13/2008 - Initial release.
• 1.0.1.1 - 8/26/2008
  • Fixed bug where PartialAuthentication properties weren't always initialized after application reload
  • Fixed bug where invalid authentication tickets were raising exception instead of ignoring them

You must Sign In to use this message board.

Per page 102550

FirstPrevNext

Good thing, but may easily lead to a security breach Member 3600679 23:52 27 Apr '09   I found a security breach when Roles are cached in a cookie. If the partial authentication cookie (.ASPXIDENTITY) is stolen (e.g. by a traffic sniffer), anyone can be authorized as the user, along with his/her roles, because the standard Role Provider saves roles in a new cookie even if the authentication is partial. There may be other security vulnerabilities with this system. Sign In·View Thread·PermaLink Re: Good thing, but may easily lead to a security breach BrantBurnett 4:57 28 Apr '09   You make a good point. I was relying on checking to determine if the authentication was partial or full in order to provide security. However, perhaps I should only include roles in the fully authenticated cookies rather than the partial ones. Or, perhaps better, come up with a system to define which roles are low security roles that can be included in the partial authentication cookie, and only include those. Thoughts? Sign In·View Thread·PermaLink thanks! vegeta4ss 8:41 3 Sep '08   I was looking for something like this a while back. Now I can go back and finish that project. Sign In·View Thread·PermaLink 1.00/5 Fix the typos John Simmons / outlaw programmer 10:22 13 May '08   It's extremely difficult to read when you have to repeatedly stop because a word is spelled (or one you're expecting is completely missing). "Why don't you tie a kerosene-soaked rag around your ankles so the ants won't climb up and eat your candy ass..." - Dale Earnhardt, 1997 ----- "...the staggering layers of obscenity in your statement make it a work of art on so many levels." - Jason Jystad, 10/26/2001 Sign In·View Thread·PermaLink 1.00/5 Re: Fix the typos BrantBurnett 10:40 13 May '08   Thanks for pointing it out, I think I've gotten it fixed now. I guess I was just in too big a hurry. Sign In·View Thread·PermaLink 5.00/5

Last Visit: 8:52 9 Feb '10     Last Update: 8:52 9 Feb '10 1