Another SSL Termination/Acceleration gotcha in 2.0

In 1.1, we used the requireSSL attribute to ensure that the FormsAuthentication cookie has the secure attribute set.  In 2.0, if you have requireSSL set, we'll remove the cookie from the incoming request if the web server receives the cookie over a non-secure connection.

Client --> SSL --> Device --> Http --> Server

Here's the rundown of what goes on:

  1. User logs in successfully.  Cookie is created and the .secure attribute is set because requireSSL is true. 
  2. Client gets the cookie and sends it on the next request because the client's connection is secure. 
  3. The device handling SSL decrypts the traffic and sends clear traffic to the server. 
  4. The FormsAuthenticationModule checks for requireSSL being set and the connection being unsecure and removes the cookie. 
  5. When the HttpContext gest to the UrlAuthorizationModule to do it's validation based on an anonymous request and sets the response to a 401.  The end result is you get redirected to the login page.

The moral of the story...if you use SSL Termination with FormsAuthentication and need to ensure the .secure attribute is set on the FormsAuthentication cookie, you'll have to do it programmatically.