4

Situation:

Load balanced environment where SSL terminates on the LB and all traffic below it is HTTP. We have pages with require user to be authenticated and we also have a requirement that authentication cookie carries flag "secured". Whole website must run under SSL.

I want to simulate on my local machine the live environment, i.e. I want to configure "secured" cookie under HTTP connection. Sofar, I managed to get to the point where:

Request.IsSecureConnection == true; Request.ServerVariables["HTTPS"] == "on";

I'm doing this by manually adding https variable in IIS:

 <rewrite> <rules> <rule name="HTTPS_Always_ON" patternSyntax="Wildcard"> <match url="*" negate="false" /> <serverVariables> <set name="HTTPS" value="on" /> </serverVariables> <action type="None" /> </rule> </rules> </rewrite>

The problem is that I am still not able to read authentication cookie under HTTP. I have to explicitly switch to https connection.

Is it possible to trick asp.net to read secured cookie under http connection? If so, then what do I need to do?

UPDATE: my post describes the problem but is not fully correct. Browsers don't send cookies marked as "secure" over HTTP, so there was no way to test my code directly. I needed to emulate the Load balancer which terminates SSL and forwards all traffic over HTTP to the actual web servers. It appears that you can do this on a single machine without major difficulties.

Improve this question

2 Answers 2

Reset to default
3

The problem was not with ASP.NET application but with the fact that a secured cookie would never be sent by browser via HTTP. I still needed to emulate the behaviour of load balancer on my local machine and here is the solution:

  • Install IIS ARR v3.0 and URL Rewrite modules - they help to setup reverse proxy in IIS
  • Enable the Reverse proxy functionality in the ARR module settings
  • Create two sites in IIS - the first one works under https://test.local and the second site is available under http://test.local. In IIS the first site points to some empty folder on the file system, while second website is your actual web application. The purpose of the first website is to simulate load balancer, i.e. terminate SSL and forward all traffic to the second site - http://test.local. The second site, in turn, simulates your webserver hidden behind the LB.
  • Go to the first website (HTTPS) and create a simple wildcard rule of type "Reverse proxy" which redirects all traffic to the second site. Select checkbox "Enable SSL Offloading".
  • now you can check that when you browse to https://test.local, your web application sees the URL as https://test.local:80, i.e. you have preserved "https" in the URL while running over HTTP on port 80. Job done.
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

If you could read https content under http, the internet would be in dire straits! I don't think you're on the right track.

Instead, are you able to: - Install a self-signed certificate to your local machine - Run your tests fully under HTTPS, like the server does - just without the networking infrastructure such as the load balancer.

Improve this answer

6 Comments

This is the problem. Past LB the connection is not secured any longer, it is HTTP and I want to simulate same environment locally. My question was not about reading https content under http to be fair
'Is it possible to trick asp.net to read secured cookie under http connection?' - It looked to me like that was exactly what you asked! - How about checking Request.IsLocal and set the HTTPS = 'on' and IsSecureConnection = true if you're not running locally? Or - add a different match rule in the configuration settings.
Without getting in details, I must ensure that a "secured" authentication cookie is accepted by my application behind LB where connection is not secured any longer. This is all problem in a nutshell. As I wrote in OP I already have server variable "HTTPS" set to "ON" and ASP.NET writes that "Request.IsSecureConnection" equals true. I don't know what is missing so that ASP.NET authentication would also work properly
Is the problem simply that browser doesn't send the cookie to server because it is flagged "secured"? But all this setup should work in production environment?
Correct. Secure against the httpcookie always ensures it cannot be read by a middle man. However, having this enabled is also really beneficial for you, obviously.
|

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.