Try Now
More in this section

Forums / General Discussions / Claims auth - setting the claims cookie to require SSL?

Claims auth - setting the claims cookie to require SSL?

5 posts, 0 answered
  1. David
    David avatar
    3 posts
    06 Jun 2012
    11 Dec 2012
    Link to this post
    Is it possible to set the "FedAuth" claims cookie to SSL only?

    There are config options in SecurityConfig for AuthCookieRequireSsl (which I believe controls the .ASPXAUTH cookie?) and RolesCookieRequireSsl (which I believe is only used in Forms Authentication mode). I tried setting both to True just in case, but no dice - the FedAuth cookie is not being set as SSL only.
  2. Atanas Valchev
    Atanas Valchev avatar
    414 posts
    04 Jan 2016
    14 Dec 2012
    Link to this post

     In addition to the settings you have enabled, you can try enabling the cookieHandler requireSsl="true" in the web.config and also enabling https for the federated authentication:

            <wsFederation passiveRedirectEnabled="true" issuer="http://localhost" realm="http://localhost" requireHttps="true"/>
            <cookieHandler requireSsl="true"/>

    Atanas Valchev
    the Telerik team
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
  3. Dawid
    Dawid avatar
    15 posts
    30 Jan 2012
    07 Oct 2014
    Link to this post

    Instead of opening a new issue, I thought I'd continue with this one.

    I have successfully applied backend only SSL to a site.  This is without having the cookieHandler requireSSL set to true.

    Now, setting requireSsl="true" on the cookieHandler works fine, except when you get to edit a page (front end pages are all run over http). Sitefinity gets stuck in a redirect loop (I guess because the editing occurs over http, but it's trying to do the token over SSL).

     Is there any way around this issue?  Using Sitefinity v7.1 with claims auth btw.

  4. Darrin Robertson
    Darrin Robertson avatar
    105 posts
    18 Jul 2004
    07 Oct 2014 in reply to Dawid
    Link to this post

    What part of the edit page process doesn't work?

    Loading or publishing the page?
    How have you enforced SSL on the backend?
    I believe there is an issue where you need to run the workflows of http.

    Me, I use UrlRewrite to enforce SSL and have a negate rule for the Workflow
    <add input="{URL}" pattern="^/DefaultWorkflows" negate="true" />


  5. Dawid
    Dawid avatar
    15 posts
    30 Jan 2012
    09 Oct 2014
    Link to this post

    Hi Darrin,

    I simply followed the instructions here http://www.sitefinity.com/developer-network/knowledge-base/securing-a-sitefinity-backend-with-ssl, including making the whole backend require SSL per page and changing the workflow base url.

    Without having the cookieHandler requireSsl="true", everything works great, all seems to be going over SSL, it automatically goes to SSL for login etc.  But if you follow http://www.sitefinity.com/documentation/documentationarticles/secure-cookies (specificially the cookieHandler requireSsl="true" part), it gets stuck in a redirect loop (looking at the network traffic) when you just try to go and edit a page (click pages on backend, click on page).  All frontend pages are set without "Require SSL", and in the sitefinity settings I don't "force" redirect to http if not set.

    I've tried the rewrite rule, but that does the same thing or worse (redirect loop on frontend as well).  Seems the "Require SSL" that's not ticked on frontend pages conflicts with the cookie going over SSL.

    I'd like to note :

    Going to for instance /home/Action while on the ssl backend (pages) sends the cookies over ssl.  But this then does a permanent redirect to /home/Action over http, so the cookies are definitely sent over http.

    Update :

    Ok.  So the issue is that if you want to run frontend over http but backend over https, there will be a conflict because even in edit mode, there's a forced redirect to http ("Require SSL" is not ticked). Seems you can't easily - without replacing the frontend route - have the frontend run over http but the page edits run over https.

    I'll go with one of the other ways to get the whole site running under https (without requiring content editors setting the "Require SSL" manually).

5 posts, 0 answered