Forms Authentication is very common in web application. The web application that uses Forms Authentication normally has a login page where user can input user name and password. Once authenticated, the web application would issue a cookie with user identity information to client. Each following request from client would attach the cookie so that server can verify user’s identity.
For security reason, the forms authentication cookie should be marked as secure and httponly in live environment. In an environment without load balancer, such as local development server, we can simply add or configure httpCookie element in web.config file under <system.web>
<httpCookies requireSSL="true" httpOnlyCookies="true"/><forms name="authCookie" loginUrl="login.aspx" timeout="20" requireSSL="true" />
However, in server farm environment, such as PROD environment, the SSL certificate is deployed on load balancer, the actual web site is using http. Configuration as above will not work.
In order for it to work, we have to do following two things:
- Keep the httpCookie configuration the same as above, but change the requreSSL attribute in <forms> element to false.
- We cannot use FormsAuthentication.SetAuthCookie() method provided by the framework. We have to write our own code to create the authentication cookie and make sure not set the “Secured” property (You can not set it to true nor false). Following is the code snippet to create the Forms Authentication cookie:
That is all. Happy coding!