Home/ Questions/Q 988711
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-16T05:40:37+00:00

I have a login problem. First i am using SSL while logging. When i

  • 0

I have a login problem.

First i am using SSL while logging.

When i log in, i am creating a cookie like this. when i check if it is secure the answer is yes.

FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(1,                          // version
                                                   UserName.Text,           // user name
                                                   DateTime.Now,               // creation
                                                   DateTime.Now.AddMinutes(60),// Expiration
                                                   false,                      // Persistent 
                                                   role);         // User data

                    // Now encrypt the ticket.
                    string encryptedTicket = FormsAuthentication.Encrypt(authTicket);

                    // Create a cookie and add the encrypted ticket to the
                    // cookie as data.
                    HttpCookie authCookie =
                                 new HttpCookie(FormsAuthentication.FormsCookieName,
                                                encryptedTicket);

                    if (authCookie.Secure)
                    {
                        new GUIUtility().LogMessageToFile("The cookie is secure with SSL.");
                        // Add other required code here.
                    }

                    authCookie.Secure = FormsAuthentication.RequireSSL;

                    // Add the cookie to the outgoing cookies collection.
                    HttpContext.Current.Response.Cookies.Add(authCookie);

                    // Redirect the user to the originally requested page 
                    Response.Redirect(FormsAuthentication.GetRedirectUrl(UserName.Text,false));

then this is redirected to the global.asax page which has this code:

string cookieName = FormsAuthentication.FormsCookieName.ToString();
        HttpCookie authCookie = Context.Request.Cookies[cookieName];

        try
        {
            new GUIUtility().LogMessageToFile(cookieName + authCookie.Secure);
        }
        catch (Exception)
        {
            //
        }

here i get the cookieName as “.ASPXAUTH” and authCookie.Secure value as False.
Why is this happening i want the authCookie.Secure value to be true here.

Any suggestions?? thanks

my web config has this:

<authentication mode="Forms">
        <forms loginUrl="Login.aspx" defaultUrl="~/Default.aspx" slidingExpiration="true" timeout="120" path="/" requireSSL="true" protection="All">
        </forms>
    </authentication>
<httpCookies requireSSL="true"/>
    <authorization>
        <deny users="?"/>
        <!--<allow users="*"/>-->
    </authorization>
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Restrict the Authentication Cookie-to-HTTPS Connections

    Cookies support a “secure” property that determines whether or not browsers should send the cookie back to the server. With the secure property set, the cookie is sent by the browser only to a secure page that is requested using an HTTPS URL.

    If you are using .NET Framework version 1.1, set the secure property by using requireSSL=”true” on the element as follows:

    <forms loginUrl="Secure\Login.aspx"
   requireSSL="true" . . . />

    If you are using .NET Framework version 1.0, set the secure property manually in the Application_EndRequest event handler in Global.asax using the following code:

    protected void Application_EndRequest(Object sender, EventArgs e) 
 {
string authCookie = FormsAuthentication.FormsCookieName;

foreach (string sCookie in Response.Cookies) 
 {
if (sCookie.Equals(authCookie))
{ 
  // Set the cookie to be secure. Browsers will send the cookie
  // only to pages requested with https
  Response.Cookies[sCookie].Secure = true;
}

    }
    }

    so according to me the first option is not working in web config so im doing it manually
    which is the second option in the code..

    Please suggest.

    • 0