Secure Cookies behind load balancer


This is a hybrid MVC/webforms application using framework 4.8, forms authentication and Membership. I need to implement secure cookies. The web site is behind a Coyote load balancer which I do not have access to (and never will have access to).

I added the following to my web.config:

  • requireSSL="true" in the authentication-forms tag
  • requireSSL="true" in the httpCookies tag
  • cookiedRequireSSL="true" in the roleManager tag

While this works for a single site, it fails when I have multiple sites behind a load balancer, for the reasons outlined here:

This is the error message I get when I attempt to do secure cookies behind the load balancer:

System.Web.HttpException (0x80004005): The application is configured to issue secure cookies. These cookies require the browser to issue the request over SSL (https protocol). However, the current request is not over SSL. at System.Web.Security.FormsAuthentication.SetAuthCookie(String userName, Boolean createPersistentCookie, String strCookiePath) at System.Web.UI.WebControls.Login.AttemptLogin() at System.Web.UI.WebControls.Login.OnBubbleEvent(Object source, EventArgs e) at System.Web.UI.Control.RaiseBubbleEvent(Object source, EventArgs args) at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

I attempted the fix described by Mr. Crowley in the above link, using the IIS urlRewrite module. This essentially sets the HTTPS server variable to "on". Unlike Mr. Crowley's fix, my rule has no conditions and simply sets every request to HTTPS "on":

        <rule name="HTTPS_AlwaysOn" patternSyntax="Wildcard">
            <match url="*" />
                <set name="HTTPS" value="on" />
            <action type="None" />

However, this fix only works half-way. There is no run-time error. From tracing I can see that the user logs in successfully and the forms authentication cookie is planted, but when the user is redirected to the application's home page the secure connection is lost (the HTTPS server variable is no longer "on"; the scheme is "http" instead of "https") and the user is redirected back to the login page.

I assume this http redirect is somehow coming from some action taken by the load balancer, but I don't understand why the IIS rewrite module is missing it.

So I then tried adding this to my Global.ascx.cs. This works:

protected void Application_BeginRequest(object sender, EventArgs e)
                   Request.ServerVariables["HTTPS"] = "on";

I'm able to log in and retain my authentication cookie. Hurrah!

As mentioned, the web site resides behind a load balancer. This load balancer does not allow any http requests (only https). If I try to reach my web site using http the browser stalls a very long time, then delivers the "This Site Can't Be Reached" message. This is good.

I have two questions:

One, does my fix cause any problems that I need to know about? I can't think of anything, but I have an unsettled feeling, like there is a bad smell in the room.

Two, why is my IIS rewrite rule failing to prevent the http redirect? Does do the redirect outside of IIS?

asked on Server Fault Mar 10, 2021 by Tom Regan

0 Answers

Nobody has answered this question yet.

User contributions licensed under CC BY-SA 3.0