ASP.NET MVC Website Partial SSL authentication cookie not sent to request

Question

ASP.NET MVC Website Partial SSL authentication cookie not sent to request

I am trying to make a POC from which it is possible to have a website that uses http and https. Therefore, I have a control on my main page that needs information if the user is authenticated or not. For this I want to use HttpContext.Current.User.Identity.IsAuthenticated. If authenticated, information is displayed for authenticated users if the input control is not displayed.

To authenticate the control, issue an AJAX POST request for the Login action with an attribute [RequireHttps]. URL used in AJAX request:

$.ajax({ type: 'POST', url: '@Url.Action("ModalLogIn", "Authentication", null, "https", Request.Url.Host + ":44300")',

By the way, I am using VS2013 for IIS with SSL support.

As you can see in my AJAX request, I use HTTPS in the action url. The request is executed by the server using SSL, and the response is successful.

The problem is that in subsequent requests, ASPXAUTH is not passed in the request header. Thus, the server does not receive user authentication information. Subsequent requests made without SSL are simple HTTP requests.

I know that in security conditions authentication is still insecure because I expect to pass ASPXAUTH via HTTP, but as I said, it is POC and I want to see if a simple authentication request using HTTPS can be made and everyone else uses HTTP

Thanks.

Edit

As requested, these are response headers:

Access-Control-Allow-Orig...    *
Cache-Control   private
Content-Length  15
Content-Type    application/json; charset=utf-8
Date    Sat, 26 Oct 2013 18:57:55 GMT
Server  Microsoft-IIS/8.0
Set-Cookie  ASP.NET_SessionId=j2a53htev0fjp1qq4bnoeo0l; path=/; HttpOnly 
ASP.NET_SessionId=j2a53htev0fjp1qq4bnoeo0l; path=/; HttpOnly 
IAC.CurrentLanguage=en; expires=Sun, 26-Oct-2014 19:57:55 GMT; path=/ 
.ASPXAUTH=730DEDBFD2DF873A5F2BD581AA0E25B685CAD12C26AEA63AD82484C932E26B617687A05BB403216CC5EFCF799970810059F9CA2CF829F953580AF81FF48102003C0129AB04424F0D011A733CAAF1DE00688E5A4C93DEA97338DD2B5E7EE752F3761A470D52449BEBCA74098912DE37AA8C1E293B1C5D44EB1F9E9384DAAEF289; path=/; HttpOnly
    X-AspNet-Version    4.0.30319
    X-AspNetMvc-Version 3.0
X-Powered-By    ASP.NET
X-SourceFiles   =?UTF-8?B?QzpcTXkgRGF0YVxCaXRidWNrZXRcaWFjLXdlYnNpdGVcaW1wbGVtZW50YXRpb25cZG90bmV0XElBQy5XZWJcQXV0aGVudGljYXRpb25cTW9kYWxMb2dJbg==?=

+4

ssl cookies asp.net https asp.net-mvc

JP. 24 . '13 17:09

3

Andrés Nava - .NET · Answer 1 · 2013-10-24T17:28:17+0000

, cookie auth "".

Chrome, "", cookie. "" , cookie. , , cookie .

John Wu · Answer 2 · 2013-10-31T23:16:25+0000

, cookie ASPXAUTH .

, , , cookie (https), . , cookie .

, , . AJAX 44300, - 80 443, , cookie , . W3C , cookie ; .

Amirhossein mehrvarzi · Answer 3 · 2013-11-02T12:48:01+0000

, ajax- HTTPS JS. . , , SSL! :

[RequireHttps]
public ActionResult Login()
{
   return View();
}

Then Submit the request to the activated HttpPost action. I believe that this will work correctly. If you did not have such requirements as MicrosoftMvcAjax.js, and MicrosoftAjax.jsin situations when you use a formal shape to the Microsoft ajax, using your ViewEngine (perhaps, Razor). I think that studying this article can help you more.

Good luck.

ASP.NET MVC Website Partial SSL authentication cookie not sent to request

More articles: