I created a project using asp.net mvc 5.1, asp.net identity 2.0. After I deploy it to IIS, when I go to secure page 'https://www.domain.com/Account/Login', after login, if I go to
https://www.domain.com. Request.IsAuthenticated return true on _LoginPartial.cshtml page, but go to
http://www.domain.com, always return false.
The cookie is marked as secure which is very important. This means the browser won't send it over non-SSL request because it can be potentially stolen and replayed against the web site. The short and correct solution is to always use SSL for any authenticated
requests.
I'm not sure I follow. But my point is that you need to use SSL for any page where the user will be authenticated or any page where the user will be entering sensitive data (such as the login page itself).
None
0 Points
4 Posts
asp.net mvc 5.1, asp.net identity 2.0, Request.IsAuthenticated problem
Jun 16, 2014 02:38 PM|lzymll|LINK
I created a project using asp.net mvc 5.1, asp.net identity 2.0. After I deploy it to IIS, when I go to secure page 'https://www.domain.com/Account/Login', after login, if I go to https://www.domain.com. Request.IsAuthenticated return true on _LoginPartial.cshtml page, but go to http://www.domain.com, always return false.
I don't know what's wrong. thanks for help
All-Star
20376 Points
6505 Posts
ASPInsiders
MVP
Re: asp.net mvc 5.1, asp.net identity 2.0, Request.IsAuthenticated problem
Jun 16, 2014 02:44 PM|BrockAllen|LINK
The cookie is marked as secure which is very important. This means the browser won't send it over non-SSL request because it can be potentially stolen and replayed against the web site. The short and correct solution is to always use SSL for any authenticated requests.
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/
None
0 Points
4 Posts
Re: asp.net mvc 5.1, asp.net identity 2.0, Request.IsAuthenticated problem
Jun 16, 2014 06:37 PM|lzymll|LINK
I do use the secure page https://www.domain.com/Account/Login for login, only on secure pages like https://www.domain.com display logoff, but non-secure page like http://www.domain.com still display login status.
All-Star
20376 Points
6505 Posts
ASPInsiders
MVP
Re: asp.net mvc 5.1, asp.net identity 2.0, Request.IsAuthenticated problem
Jun 16, 2014 07:17 PM|BrockAllen|LINK
I'm not sure I follow. But my point is that you need to use SSL for any page where the user will be authenticated or any page where the user will be entering sensitive data (such as the login page itself).
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/
None
0 Points
4 Posts
Re: asp.net mvc 5.1, asp.net identity 2.0, Request.IsAuthenticated problem
Jun 16, 2014 08:26 PM|lzymll|LINK
Sorry I didn't express clearly.
When you go to https://login.asp.net/login/signin.aspx?ReturnUrl=http%3a%2f%2fforums.asp.net%2f , after login, go back to http://forums.asp.net/
you will see Signed in as xxxx under non-secure page.
My problem is that I go to https://www.domain.com/Account/Login after login, when I go back to http://www.domain.com, still display login not logoff.
My Running Enviroment: Windows 7 + IIS7 + Asp.net MVC 5.1 + Asp.net Identity 2.0
Thanks
All-Star
20376 Points
6505 Posts
ASPInsiders
MVP
Re: asp.net mvc 5.1, asp.net identity 2.0, Request.IsAuthenticated problem
Jun 17, 2014 10:09 PM|BrockAllen|LINK
I'd suggest making sure the requests are https before they hit the redirect to login page.
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/