Click here to Skip to main content
15,991,287 members
Articles / Web Development / ASP.NET
Article

Secure Persistent ASP.NET Forms Authentication

Rate me:
Please Sign up or sign in to vote.
4.00/5 (3 votes)
27 Aug 2008LGPL33 min read 72.4K   534   51   5
An ASP.NET system for having two authentication cookies, one secure and one insecure, to have multiple tiers of security by folder.

Introduction

While the ASP.NET Forms Authentication system is a great system for authentication, it has one significant shortcoming for a lot of situations. You can only restrict it to always pass the authentication cookies in a secure manner, or always pass them even if the connection is not secure. There is no intermediate method of authentication available to you. This means that if you are operating a web store, you have a problem.

Normally, a web store wants the customer identified as soon as they come to the site, and throughout the shopping experience. However, when the user goes to edit their account or checkout, you want to switch them to a secure mode. In order to be secure, the cookie used to authenticate them for checkout must be restricted to SSL connections. This means that to maintain their login, you would have to remain in SSL from the moment they sign in forward, which adds a lot of unnecessary server load. Plus, it can cause headaches with external content you might want to include on your page that isn't encrypted.

The solution is to modify the forms authentication system to use a pair of cookies. One is valid only to identify you, but not access secure functions, doesn't require SSL to be transmitted, and is persistent across sessions. The other is a full authentication, and requires SSL to be transmitted.

Using the code

Add the following to your root web.config file. These sections will probably already exist, you will just add the additional entries to them:

XML
<?xml version="1.0"?>
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
  <configSections>
    <sectionGroup name="partialAuthenticationSystem">
      <section name="authentication" 
        type="PartialAuthenticationSystem.PartialAuthenticationSection, 
              PartialAuthenticationSystem" 
        allowDefinition="MachineToApplication" />
      <section name="authorization" 
        type="PartialAuthenticationSystem.PartialAuthorizationSection, 
              PartialAuthenticationSystem" />
    </sectionGroup>
  </configSections>
  
  <system.web>
    <httpModules>
      <add name="PartialAuthorization" 
        type="PartialAuthenticationSystem.PartialAuthorizationModule,
              PartialAuthenticationSystem" />
      <add name="PartialAuthentication" 
        type="PartialAuthenticationSystem.PartialAuthenticationModule,
              PartialAuthenticationSystem" />
    </httpModules>
  </system.web>
  
  <partialAuthenticationSystem>
    <authentication timeout="172800" name=".ASPXIDENTITY" requireSSL="false" />
    <authorization requireSSL="None" requireLogin="false" />
  </partialAuthenticationSystem>
</configuration>

You must also enable forms authentication in the <authenctication> section under <system.web>, and if you are using SSL, then you will probably set requireSSL to true there as well.

Note that you can customize the settings under <partialAuthenticationSystem> as you see fit. timeout is the timeout for the persistent cookie. The cookie name must be different than the cookie name used for forms authentication.

You can also add the <authorization> section from <partialAuthenticationSystem> to web.config files in subfolders like this:

XML
<?xml version="1.0"?>
<configuration>
  <partialAuthenticationSystem>
    <authorization requireSSL="Required" requireLogin="false" />
  </partialAuthenticationSystem>
</configuration>

You must also change your code to use the PartialAuthentication static class to login and logout, rather than the FormsAuthentication class. This will create or remove both of the necessary cookies. To sign off a user from the secure section but still leave the persistent insecure cookie, use the FormsAuthentication.SignOff method instead. If you are using the standard Login control, just override the LoggedIn event.

Points of interest

Please note that this library is designed for .NET 3.5 and Visual Studio 2008, though it should be easily convertible back to .NET 2.0 if you change the project settings.

History

  • 1.0.1.0 - 5/28/2008 - Fixed problems with HTTP redirection of secure WebResource.axd and ScriptResource.axd requests.
  • 1.0.0.0 - 5/13/2008 - Initial release.
  • 1.0.1.1 - 8/26/2008
    • Fixed bug where PartialAuthentication properties weren't always initialized after application reload
    • Fixed bug where invalid authentication tickets were raising exception instead of ignoring them

License

This article, along with any associated source code and files, is licensed under The GNU Lesser General Public License (LGPLv3)


Written By
Software Developer (Senior) Pathfinder Software
United States United States
This member has not yet provided a Biography. Assume it's interesting and varied, and probably something to do with programming.

Comments and Discussions

 
GeneralGood thing, but may easily lead to a security breach Pin
Member 360067927-Apr-09 22:52
Member 360067927-Apr-09 22:52 
I found a security breach when Roles are cached in a cookie.

If the partial authentication cookie (.ASPXIDENTITY) is stolen (e.g. by a traffic sniffer), anyone can be authorized as the user, along with his/her roles, because the standard Role Provider saves roles in a new cookie even if the authentication is partial.

There may be other security vulnerabilities with this system.
GeneralRe: Good thing, but may easily lead to a security breach Pin
BrantBurnett28-Apr-09 3:57
BrantBurnett28-Apr-09 3:57 
Generalthanks! Pin
vegeta4ss3-Sep-08 7:41
vegeta4ss3-Sep-08 7:41 
GeneralFix the typos Pin
#realJSOP13-May-08 9:22
professional#realJSOP13-May-08 9:22 
GeneralRe: Fix the typos Pin
BrantBurnett13-May-08 9:40
BrantBurnett13-May-08 9:40 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.