3

I have a basic website with a member login page and an administration backend area. I am using ASP.NET Membership tables for authentication.

When a member logs in they are authenticated and have access to their member profile and other related member areas.

If a user logs in and I detect they are in the ADMINISTRATOR role then a link to access the admin area of the site is available.

When the admin clicks this admin link the site redirects to SSL HTTPS protocal and is suppose to send the admin to the Administrtion area of the site. 

  string SecureURL;

  SecureURL = "https://";
  SecureURL = SecureURL + Request.ServerVariables["SERVER_NAME"];
  SecureURL = SecureURL + "/Administration/Default.aspx";

  Response.Redirect(SecureURL, true);

However, the user is redirected back to the login page and has to login again and then they can access the admin area.

How can I force the user to remain logged in when switching to HTTPS from HTTP?????

Dexter
  • 18,213
  • 4
  • 44
  • 54
user530776
  • 33
  • 4
  • how are you keeping track of session state? A cookie? If so the cookie is not getting sent back as it isn't secure. So you will to propagate the session to the HTTPS side some other method (hidden field / url param / etc..) But with the release of firesheep, all of your login stuff should be under ssl to prevent the session hijack. – Doon Dec 04 '10 at 21:58

2 Answers2

2

Here's a couple suggestions: how can I share an asp.net session between http and https

Community
  • 1
  • 1
joelt
  • 2,672
  • 2
  • 24
  • 32
0

Is there a specific reason why you didn't put your Login page under SSL?

ncakmak
  • 4,014
  • 5
  • 20
  • 17