locked
asp.net mvc 5.1, asp.net identity 2.0, Request.IsAuthenticated problem RRS feed

Answers

  • User1779161005 posted

    I'd suggest making sure the requests are https before they hit the redirect to login page.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, June 17, 2014 10:09 PM

All replies

  • User1779161005 posted

    The cookie is marked as secure which is very important. This means the browser won't send it over non-SSL request because it can be potentially stolen and replayed against the web site. The short and correct solution is to always use SSL for any authenticated requests.

    Monday, June 16, 2014 2:44 PM
  • User-52714207 posted

    I  do use the secure page  https://www.domain.com/Account/Login  for login, only on secure pages like  https://www.domain.com  display  logoff, but non-secure page like http://www.domain.com  still display login status. 

    Monday, June 16, 2014 6:37 PM
  • User1779161005 posted

    I'm not sure I follow. But my point is that you need to use SSL for any page where the user will be authenticated or any page where the user will be entering sensitive data (such as the login page itself).

    Monday, June 16, 2014 7:17 PM
  • User-52714207 posted

    Sorry I didn't express clearly.

    When you go to https://login.asp.net/login/signin.aspx?ReturnUrl=http%3a%2f%2fforums.asp.net%2f  , after login, go back to http://forums.asp.net/

    you will see Signed in as xxxx  under non-secure page.

    My problem is that I go to https://www.domain.com/Account/Login   after login, when I go back to http://www.domain.com, still display login not logoff.

    My Running Enviroment:   Windows 7 + IIS7 + Asp.net MVC 5.1 + Asp.net Identity 2.0

    Thanks

    Monday, June 16, 2014 8:26 PM
  • User1779161005 posted

    I'd suggest making sure the requests are https before they hit the redirect to login page.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, June 17, 2014 10:09 PM