Securing the Forms Authentication Cookie when offl

2020-05-24 19:35发布

问题:

I am attempting to secure a website I am currently developing using ASP.NET MVC 2.0 and forms authentication. In order to secure the forms authentication cookie I want to set the requiresSSL property to true so the cookie is only send by browsers when the connection is under SSL, and obviously ensure that all resources which require authorization are under SSL.

My problem is that we are using Application Request Routing to fulfil a number of functions, one being SSL offloading, therefore by the time a request hits any web server in our farm the request is no longer under SSL and the FormsAuthentication.SetAuthCookie method fails because an SSL connection is required to set the cookie when requiresSSL is specified.

Anyone have any ideas as to a work around here!

Thanks

回答1:

So I have a work around for this, however if anyone has any better ideas please feel free to comment. Essentially you need to intercept the response at the end of the request and manually set the Secure property on the forms authentication cookie, pretty obvious really, you will also need to set the requireSSL property in the forms authentication configuration to false. Also bear in mind we do not want to enable HTTPS for the entire site for authenticated users hence this work around.

There are a couple of caveats to this approach and a few things to be aware of.

  1. I found during testing that the forms authentication cookie was always written to in the response, so I kept overwriting the valid authentication cookie in the browser with an empty authentication cookie, to get around this I included some logic in the HTTP module to work around this, see code snippet below.

  2. All requests to the application which require authorization must be under SSL, otherwise the request will not contain the authentication cookie in order to authenticate the user.

  3. Because you are only passing the authentication cookie for SSL requests you will need another mechanism to tell your application that the current user is authenticated when they browse the non SSL areas of the site, I have implemented this with an additional cookie which is set when the user logs in, and does not have an expiry date set, so will expire at the end of the users session, of course this cookie is removed if the user logs out.

Below is the logic implemented in an HTTP Module to affect the above, I have been testing this the last couple of hours and have not come across any problems yet, I will be sure to update this post if I do!


We should only ever send an authentication cookie to the client if the user has just logged in here's the logic

  1. If the request has an auth cookie the user is already authenticated and under SSL so ensure we do not send a new auth cookie in the response.
  2. If the request does not have an auth cookie but there is a valid auth cookie in the response, set the response auth cookie to secure, so it is only transmitted by the browser under SSL.
  3. If the request does not have an auth cookie and the response has an invalid or empty auth cookie, ensure we remove the response cookie so we dont overwrite the valid cookie in the client browser.
private void EndRequest(object sender, EventArgs e)
{
    var application = (HttpApplication)sender;

    if (ValidRequest(application.Request) && application.Response.Cookies.Count > 0)
    {

        //only do the below if the user is not logging out the site, if the user is logging out we can 
        //leave the default forms authentication behaviour which is to expire the auth cookie
        if (application.Request.AppRelativeCurrentExecutionFilePath != "~/authentication/logoff")
        {
            var requestAuthCookie = application.Request.Cookies[FormsAuthentication.FormsCookieName];
            var responseAuthCookie = application.Response.Cookies[FormsAuthentication.FormsCookieName];

            if (requestAuthCookie != null && responseAuthCookie != null && responseAuthCookie.Value.IsNullOrEmpty())
            {
                application.Response.Cookies.Remove(FormsAuthentication.FormsCookieName);
            }
            else if (responseAuthCookie != null && !responseAuthCookie.Value.IsNullOrEmpty())
            {
                responseAuthCookie.Secure = true;
                application.Response.Cookies.Remove(FormsAuthentication.FormsCookieName);
                application.Response.Cookies.Add(responseAuthCookie);
            }
            else if (responseAuthCookie == null || responseAuthCookie.Value.IsNullOrEmpty())
            {
                application.Response.Cookies.Remove(FormsAuthentication.FormsCookieName);
            }
        }
    }
}


回答2:

SSL offload should allow you to make a SSL connection from the SSL offloader to the web server.

The SSL connection from the SSL Offloader to the web server should use the lightest and fastest (and probably weakest) encryption available.

This allows you to use secure cookies, reduce the encryption load on the servers and avoid the modification of your code.