hopefully i'm missing simple/obvious - why, , more importantly, how maintain (or force) protocol during redirect login?
to illustrate:
- the original protocol
https one think should "default"login, shown, redirect (seems) doesn't maintain it.
stuff tried:
there
requirehttpsattribute 1 use, but:- seems "weird" take 2 redirects "there"
- in situations have load balancer and/or have ssl "offloaded" elsewhere (not in server), then redirect loop (ssl between client , front-end net/ssl lb, ,
httpbox(es)/application). production case...
i have set iis url re-write (aka canonical rule https entire site),
and seems "ignored" (too)(rule not check "https" otherwise suffers same redirect loop).tried , failed set absolute url in
loginpath(incookieauthenticationoptions)..because can't that...
thanks advice or pointers...
update
as "why"?
- in situations have load balancer and/or have ssl "offloaded" elsewhere (not in server), then redirect loop (ssl between client , front-end net/ssl lb, ,
httpbox(es)/application). production case..
further tinkering got me above, shown in (localhost - local dev box, not server) request sequence (the above issue manifests in production load balanced environment ssl processing "up stack" - e.g. arr):
- the protocol in fact maintained
- the issue seems exactly related situation application , "infrastructure" don't "match". seems similar situation in code,
request.issecureconnectionin "load balanced"/"web farm" environment (say arrcertin arr, not in host/s). check always returnfalsein such situation..
so question on guidance on how around this?
update 2
many richard changing "direction" in trying resolve this. looking way to:
set/tell owin/identity use secure url (explicitly) , "override" way evaluates
loginpath.secure(only) option in handling cookies somehow led me way (if can explicitly cookies in https only, sort of gave me impression of being ableloginpath..one way or other)a "hacky" way in mind deal client side (javascript).
in end, richard's answer took me url rewriting (though still not on lb side because that's beyond control). i'm working off of (based on environment):
<rule name="redirect https" stopprocessing="true"> <match url=".*" /> <conditions> <add input="{http_cluster_https}" pattern="^on$" negate="true" /> <add input="{http_cluster_https}" pattern=".+" negate="true" /> </conditions> <action type="redirect" url="https://{http_host}{script_name}/{request_uri}" redirecttype="seeother" /> </rule> and see light @ end of tunnel.
update 3
awesome again richard sleuthing! latest answer got me sleuthing , turns out there's quite few posts here on so related cookieapplyredirectcontext...so have in place (which specific case), , going after:
app.usecookieauthentication(new cookieauthenticationoptions { authenticationtype = defaultauthenticationtypes.applicationcookie, loginpath = new pathstring("/account/login"), //this why. if explicitly set this, (thought) should //be able explicitly enforce https (too..as setting) //for loginpath... cookiesecure = cookiesecureoption.always, provider = new cookieauthenticationprovider { onvalidateidentity = ..... , onapplyredirect = context => { uri absoluteuri; if (uri.trycreate(context.redirecturi, urikind.absolute, out absoluteuri)) { var path = pathstring.fromuricomponent(absoluteuri); if (path == context.owincontext.request.pathbase + context.options.loginpath) { context.redirecturi = context.redirecturi.replace("http:", "https:"); } } context.response.redirect(context.redirecturi); } } });
this problem occurring because application issuing redirect absolute url. can fix in 1 of 2 ways, in load balancer or in application itself.
load balancer
configure load balancer rewrite redirect responses http https. if using arr, following rule (taken here) should work:
<rule name="forum-redirect" precondition="isredirection" enabled="true"> <match servervariable="response_location" pattern="^http://[^/]+/(.*)" /> <conditions> <add input="{original_host}" pattern=".+" /> </conditions> <action type="rewrite" value="http://{original_host}/{r:1}" /> </rule> other load balancers require similar configuration.
application
we can replace url owin redirects in authorization process relative url, means protocol stay whatever browser using.
it took bit of digging in owin source find how this, following change application startup should solve problems. first, extract cookieauthenticationprovider initialisation startup config.
change:
app.usecookieauthentication(new cookieauthenticationoptions { authenticationtype = defaultauthenticationtypes.applicationcookie, loginpath = new pathstring("/account/login"), provider = new cookieauthenticationprovider { // move these options in step below... } }); to:
var cookieprovider = new cookieauthenticationprovider { // ... options existing application }; // modify redirect behaviour convert login url relative var applyredirect = cookieprovider.onapplyredirect; cookieprovider.onapplyredirect = context => { if (context.redirecturi.startswith("http://" + context.request.host)) { context.redirecturi = context.redirecturi.substring( context.redirecturi.indexof('/', "http://".length)); } applyredirect(context); }; app.usecookieauthentication(new cookieauthenticationoptions { authenticationtype = defaultauthenticationtypes.applicationcookie, loginpath = new pathstring("/account/login"), provider = cookieprovider }); while can't @ redirection rule set easily, owin uses delegate perform actual redirect. i've done here stored delegate, modified url given, , called again.
with option, ensure other redirects , links within site relative.
Comments
Post a Comment