Update To Partial Authentication System

I’ve posted an improvement to the Partial Authentication System originally posted at Secure Persistent ASP.NET Forms Authentication.

I discovered a problem in the automatic redirection of requests back to HTTP from HTTPS using the requiresSSL=”None” setting in the authorization section. Since most sites would set this to none for their root folder, this caused a problem with the links generated by ASP.NET and AJAX to WebResource.axd and ScriptResource.axd, which are logically (not physically) located in the root of the web application. If you have a secure page in another folder which requests these resources, they were being redirected back to an insecure connection, causing a potential security flaw and causing Firefox to display warnings about partial security.

This has been addressed by ignoring the requiresSSL=”None” setting for a request for any file with the “.axd” extension, effectively treating it as requiresSSL=”Optional” instead. Note that requiresSSL=”Required” is still enforced as normal for files with this extension.

I’ve posted new source and binaries for download.

UPDATE: Please see updated version here

Leave a Reply