IIS 7 and Above
Forms requireSSL=True setting doesn't work with SSL offload
Last post Apr 28, 2010 09:06 AM by alex-N
Dec 22, 2009 09:08 PM|alex-N|LINK
In our setup the web servers are behind a load balancer performing SSL offload, meaning that our customers interact with our servers using HTTPS but IIS 7.0 only gets HTTP traffic (the load balancer ending the HTTPS tunnel).
Our web site uses both Forms authentication and httpCookies and our goal is to protect those cookies the best we can. To avoid having cookies potentially sent over an HTTP connection, we enabled the requireSSL=True attribute of <httpCookies> and <forms>.
Although it works well for the cookie generated by <httpCookies>, we get the following error when Forms tries to set a cookie (method FormsAuthentication.SetAuthCookie).
Is there any configuration setting I can use to force Forms to issue a secure cookie, even if it's delivered over HTTP until the load balancer, who will then send it over an established SSL connection?
Dec 23, 2009 04:33 AM|lextm|LINK
As you have offloaded SSL to the load balancer, all traffic that hits IIS is non-SSL. Therefore, you don't even need to set requireSSL to true.
I suggest you learn more about SSL offload and you will get a better understanding of how it works.
Dec 23, 2009 05:10 AM|alex-N|LINK
Thanks for your answer and your link. I had a look at the article you mention and we're clearly using the second mentioned configuration.
I want the Forms cookie to be set with the secure flag, so that the browser will never send the Forms cookie to the server over a HTTP connection but only over a secured HTTPS connection (cf RFC 2109). My understanding of the requireSSL flag for Forms
is that this is the setting to activate the secure flag. This works by the way well for the cookie defined in <httpCookie> with the same requireSSL attribute, without raising an exception.
Does what I try to achieve make more sense?
Thanks - Alex
Dec 23, 2009 06:09 AM|lextm|LINK
You already use SSL to protect the conversation between the server and the client, in which way even if you turn on requireSSL it works as an extra validation.
However, I am not familiar with the load balancer you use, so not sure how to configure it to just accept HTTPS/SSL connections from the clients, not HTTP. That's what you need to confirm on your own.
Dec 23, 2009 06:38 PM|alex-N|LINK
Totally agree that I already use SSL encryption if my customer connects to my site over SSL. I'm not using the requireSSL flag as a way to enforce this but want to use the feature to set the
secure flag to a cookie. The secure flag of the cookie will prevent the browser to send such a cookie over an HTTP connection.
Let's take an example: my website secure.example.com is accessible mainly over HTTPS but you can connect to http://secure.example.com and you'll be redirected straight to the HTTPS version. This HTTP exception was implemented for user convenience.
When a customer connects to https://secure.example.com and logs in successfully, he'll get two session cookies: one issued by the ASP.NET <httpCookie> config and a second by <forms>.
If during the session this customer sends a request to secure.example.com over HTTP, the session cookie will be sent unencrypted over Internet unless the
secure flag was specified when the cookie was set. This means that an attacker being able to sniff the network of the victim (e.g. unprotected WiFi) will be able to see the session cookie and hijack the session.
might be more clear and will certainly give more insight.
Hope this clarifies what I try to achieve.
Thanks for your help - Alex
Dec 24, 2009 02:26 AM|lextm|LINK
My understanding is that if you need to set requireSSL to true, you cannot offload SSL to the balancer.
The security requirement can only be achieved if on the balancer we only allow HTTPS traffic. Of course, that hurts performance and redirection from HTTP to HTTPS is necessary.
See if others have better suggestions.
Jan 04, 2010 05:55 PM|alex-N|LINK
Sorry for the delay and thanks for your answer. Hope you had some holidays as well :)
The odd thing is why does this work for the cookie defined in the <httpCookie> tag but not for the <forms> cookie? Isn't this inconsistent and both cookies should act the same way by either throwing an error (as the <forms> cookie does) or letting it through
(as the <httpCookie> does)?
Apr 28, 2010 09:06 AM|alex-N|LINK