SSL Termination and ASP.NETTo customize this column to your needs, we want to invite you to submit your ideas about topics that interest you and issues that you want to see addressed in future Knowledge Base articles and Support Voice columns. You can submit your ideas and feedback using the Ask For It form. There's also a link to the form at the bottom of this column.
SSL Termination is a configuration in which the Web server running your code sends and receives traffic over HTTP, and there is a device between your Web server and your clients that encrypts and decrypts the data. In this configuration, the clients are sending and receiving HTTPS traffic. The SSL Termination configuration is similar to the following:
Issue 1When you hover over a menu item in the ASP.NET 2.0 Menu control, you get the following error message:
Well, the problem is that the
about:blank for the URL. However, the browser considers this an unsecure address, so you get the above error. For more information about this problem in terms of Microsoft Windows SharePoint Services, click the following article number to view the article in the Microsoft Knowledge Base:
protected override void Render(HtmlTextWriter writer)
Menu1.ClientID + "_Data.iframeUrl='https://myserver/someblankpage.htm';", true);
Issue 2You may find that, when you have the requireSSL attribute of the
<forms> element set to true, the server responds with repeated redirects to the
FormsAuthentication login page. This is caused by a change in the way the
FormsAuthenticationModule method handles the requireSSL attribute. If you set the requireSSL attribute to true, the FormsAuthenticationModule method creates a cookie that has the secure attribute set. (This behavior is the same as in the .NET Framework 1.1.) When you use the secure attribute, the client will only pass the cookie to the server if the client is using SSL. This part is great, because the client is indeed using SSL. Let's assume you have a SecurePage.aspx page that anonymous users can't access. With the SSL protocol and the requireSSL attribute, you end up with the following traffic on an initial request to SecurePage.aspx:
<—Server responds with an HTTP 302 (Redirect) to the login page.
—>Client makes a GET request for Login.aspx.
<—Server responds with a 200 OK. The login page is rendered to client.
—>Client makes a POST request to Login.aspx.
<—Server responds with a 302 (Redirect) to SecurePage.aspx. Set Cookie header is sent with the secure attribute to the client.
—>Client makes a GET request to SecurePage.aspx. Cookie is passed because the client is using SSL.
<—Server responds with a 302 (Redirect) back to the login page.
You get the redirect in the last request because of a change in the FormsAuthenticationModule class. An additional check was added in ASP.NET 2.0 to determine whether the user is passing a secure cookie over a non-SSL request. ASP.NET 2.0 returns the FormsAuthenticationTicket class if the FormsAuthentication.RequireSSL property is set to false or if the Request.IsSecure attribute is set to true.
- The FormsAuthentication.RequireSSL property is set to false if the requireSSL attribute is set to false in the configuration file.
- The Request.IsSecure attribute is set to true if the Web server receives SSL traffic.
The request that the user is making is anonymous at this point because the server has not yet validated the user's credentials. As the request passes through the ASP.NET pipeline, the UrlAuthorizationModule class checks whether the user has access to the page. Since an anonymous user does not have access to a SecurePage.aspx page, the
UrlAuthorizationModule class returns a 401 error message ("Access Denied"), which results in a redirect to the login page.
In order to avoid this behavior, you first have to remove the requireSSL attribute from the <forms> tag in the configuration file. Then you have to programmatically set the secure attribute on the FormsAuthentication cookie. The following code does this for you, for both the
FormsAuthentication cookie and the Session cookie.
void Application_EndRequest(object sender, EventArgs e)
if (Response.Cookies.Count > 0)
foreach (string s in Response.Cookies.AllKeys)
if (s == FormsAuthentication.FormsCookieName || s.ToLower() == "asp.net_sessionid")
Response.Cookies[s].Secure = true;
I hope you find this information helpful when you're using SSL Termination and Microsoft ASP.NET. Remember, the Support Voice columns are for you! As always, feel free to submit ideas on topics that you want addressed in future columns or in the Knowledge Base using the
Ask For It form.
Article ID: 910444 - Last Review: Jul 14, 2008 - Revision: 1