asp.net mvc 5.1, asp.net identity 2.0, Request.IsAuthenticated problem

Question

User-52714207 posted

I created a project using asp.net mvc 5.1, asp.net identity 2.0. After I deploy it to IIS, when I go to secure page 'https://www.domain.com/Account/Login', after login,  if I go to https://www.domain.com. Request.IsAuthenticated  return true on _LoginPartial.cshtml page, but go to http://www.domain.com, always return false.

I don't know what's wrong. thanks for help

Answer 1

User1779161005 posted

The cookie is marked as secure which is very important. This means the browser won't send it over non-SSL request because it can be potentially stolen and replayed against the web site. The short and correct solution is to always use SSL for any authenticated requests.

Answer 2

User-52714207 posted

I  do use the secure page  https://www.domain.com/Account/Login  for login, only on secure pages like  https://www.domain.com  display  logoff, but non-secure page like http://www.domain.com  still display login status. 

Answer 3

User1779161005 posted

I'm not sure I follow. But my point is that you need to use SSL for any page where the user will be authenticated or any page where the user will be entering sensitive data (such as the login page itself).

Answer 4

User-52714207 posted

Sorry I didn't express clearly.

When you go to https://login.asp.net/login/signin.aspx?ReturnUrl=http%3a%2f%2fforums.asp.net%2f  , after login, go back to http://forums.asp.net/

you will see Signed in as xxxx  under non-secure page.

My problem is that I go to https://www.domain.com/Account/Login   after login, when I go back to http://www.domain.com, still display login not logoff.

My Running Enviroment:   Windows 7 + IIS7 + Asp.net MVC 5.1 + Asp.net Identity 2.0

Thanks

Answer 5

User1779161005 posted

I'd suggest making sure the requests are https before they hit the redirect to login page.