AJAX Authentication & SSL

posted on 07/12/07 at 10:53:56 pm by Joel Ross

I'm currently doing some enhancements to a client's website to take advantage of a few of the cool new features available in ASP.NET 2.0, such as AJAX, master pages and themes. We'd upgraded the site shortly after we launched it originally (on .NET 1.1), but at the time, they didn't want to do much beyond performing the upgrade and getting the same functionality as they had before.

Now, some may be asking why upgrade if you don't plan to do anything with it, and that's a valid question. The reason is valid as well. They?have an internal application that runs on the same Common Business Layer (CBL) as the public website, and they are taking advantage of a lot of the .NET 2.0 features there, so it was important to get the CBL working against the .NET 2.0 framework, thus requiring the website to come with it. Plus, we eliminated 1000's of lines of code by converting to generics.

Anyway, now they want to go back and start using some of the features available. One of them is an AJAX login. Our goal is to offer a login box on any page - regardless of whether they are in SSL or not - but still be able to have them securely log in. We chose to use some of the built-in authentication services in Microsoft's implementation of AJAX to do it, and I was able get that working just fine. Now, we're not using the ASP.NET membership functionality, so we used a custom Authentication web service, which is also fairly straight forward.

What isn't straight forward is getting it to work via SSL. That's not to say it doesn't seem simple. According to the documentation, you add an element in the web.config file as such, declaring that it should be done via SSL:

<authenticationService enabled="true" requireSSL="true" />

Simple enough, if it worked. Which it doesn't. At least not for me. No matter what I tried, it always used the same type of connection for the web service call as the page had - if I was already in SSL mode, then it used SSL, but if I was in normal mode, it never made the call via SSL.

My solution? Since we're already using a custom web service for logging in and logging out, I already have a sub-element of the script manager specifying the path to the authentication service. Normally, that's a relative path, but it can be an absolute path as well, so I just set that be the full (https) address of my authentication web service:

<asp:ScriptManager runat="server">
??<AuthenticationService path="https://localhost/MyAuthService.asmx" />

I'm actually doing it in the code behind, so I can dynamically buidl the URL based on the URL the server is running on, and whether SSL should be used or not, but that's just an implementation detail. Bottom line:?when I make my authentication requests via AJAX, it's done via SSL. Of course, all this would be easier if requireSSL worked as described.

Technorati Tags: | |

Categories: ASP.NET