I have an MVC3 web app that does auth to a customization of StarterSTS. I require the realm to be known and the authentication to require SSL.
It works, great.
The problem is when the user lands back onto my website they are browsing with https. This isn’t really the experience I want. My site is not a bank or anything of the like. I feel the authentication conversation should be secure (I think) and the token encrypted (I’m sure). But if I manually change the url from https to http on my replying party web app after authenticating it says I’m not authorized.
1) why?
2) Is it possible to fall back to http ? or … Should I not require https for the authentication, but leave the token encrypted?
Well – what’s wrong with SSL?`
The token should be always transmitted using SSL – even when it is encrypted, it could be replayed etc.
Also the resulting session token needs to be protected. So I would go for SSL (easy to setup) and not worry about possible attacks that result from not using it (hard to implement).
That all said – you can turn off the SSL requirement on the wsFederation (requireHttps=”false”) and nested cookieHandler (requireSsl=”false”) configuration element.