Claims auth - setting the claims cookie to require SSL? - General Discussions - General Discussions - Progress Community
 General Discussions

Claims auth - setting the claims cookie to require SSL?

  • Claims auth - setting the claims cookie to require SSL?
  • Is it possible to set the "FedAuth" claims cookie to SSL only?

    There are config options in SecurityConfig for AuthCookieRequireSsl (which I believe controls the .ASPXAUTH cookie?) and RolesCookieRequireSsl (which I believe is only used in Forms Authentication mode). I tried setting both to True just in case, but no dice - the FedAuth cookie is not being set as SSL only.
  • Hi,

     In addition to the settings you have enabled, you can try enabling the cookieHandler requireSsl="true" in the web.config and also enabling https for the federated authentication:

    <federatedAuthentication>
            <wsFederation passiveRedirectEnabled="true" issuer="http://localhost" realm="http://localhost" requireHttps="true"/>
            <cookieHandler requireSsl="true"/>
          </federatedAuthentication>

    Regards,
    Atanas Valchev
    the Telerik team
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
  • Instead of opening a new issue, I thought I'd continue with this one.

    I have successfully applied backend only SSL to a site.  This is without having the cookieHandler requireSSL set to true.

    Now, setting requireSsl="true" on the cookieHandler works fine, except when you get to edit a page (front end pages are all run over http). Sitefinity gets stuck in a redirect loop (I guess because the editing occurs over http, but it's trying to do the token over SSL).

     Is there any way around this issue?  Using Sitefinity v7.1 with claims auth btw.

  • What part of the edit page process doesn't work?

    Loading or publishing the page?
    How have you enforced SSL on the backend?
    I believe there is an issue where you need to run the workflows of http.

    Me, I use UrlRewrite to enforce SSL and have a negate rule for the Workflow
    <add input="URL" pattern="^/DefaultWorkflows" negate="true" />

     

  • Hi Darrin,

    I simply followed the instructions here http://www.sitefinity.com/developer-network/knowledge-base/securing-a-sitefinity-backend-with-ssl, including making the whole backend require SSL per page and changing the workflow base url.

    Without having the cookieHandler requireSsl="true", everything works great, all seems to be going over SSL, it automatically goes to SSL for login etc.  But if you follow http://www.sitefinity.com/documentation/documentationarticles/secure-cookies (specificially the cookieHandler requireSsl="true" part), it gets stuck in a redirect loop (looking at the network traffic) when you just try to go and edit a page (click pages on backend, click on page).  All frontend pages are set without "Require SSL", and in the sitefinity settings I don't "force" redirect to http if not set.

    I've tried the rewrite rule, but that does the same thing or worse (redirect loop on frontend as well).  Seems the "Require SSL" that's not ticked on frontend pages conflicts with the cookie going over SSL.

    I'd like to note :

    Going to for instance /home/Action while on the ssl backend (pages) sends the cookies over ssl.  But this then does a permanent redirect to /home/Action over http, so the cookies are definitely sent over http.

    Update :

    Ok.  So the issue is that if you want to run frontend over http but backend over https, there will be a conflict because even in edit mode, there's a forced redirect to http ("Require SSL" is not ticked). Seems you can't easily - without replacing the frontend route - have the frontend run over http but the page edits run over https.

    I'll go with one of the other ways to get the whole site running under https (without requiring content editors setting the "Require SSL" manually).