SharePoint

Blog@MSNGN

Aug 08
Mixing it up w/ Mixed SSL & SP 2010

UPDATE

Chris Coulson wrote a detailed post on his blog about this topic (with very easy to follow steps).  Very nice work Chris! 


(My original post below...)


Here is some very good reading if you want to learn more on the inner workings of federated authentication models w/ claims & sp2010:
http://msdn.microsoft.com/en-us/library/ee517293.aspx


So after much digging with  firebug + the Firefox webdev extension to inspect my http sessions, I discovered 2 funny things about the cookie SharePoint is setting

 

  

1)      It ignores most of the settings we put in our <forms tag and uses its own (see below)

 

2)      No matter what attributes I set, the cookie was being written as a secure cookie, which prevented it from being transmitted via non-secure http requests



ssl_securecookie.png

I inspected the web.config some more and discovered that SharePoint is using a custom cookie handler to read/write cookies: 



<cookieHandler mode="Custom" path="/">
<customCookieHandler type="Microsoft.SharePoint.IdentityModel.SPChunkedCookieHandler, Microsoft.SharePoint.IdentityModel, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
</cookieHandler>​


Enter Reflector

once I opened up this class in reflector and traced the life of a cookie during an authentication session, it turned out that there was a hardcoded reference to the https protocol in the WriteCore method – this was trumping any of the manual settings we were trying to add in the web.config

ssl_reflector.png


The Fix:
 
Fortunately a custom cookie handler class is not that complex, so I created a new MSNGNChunkedCookieHandler class and updated the web.config entry
        
<cookieHandler mode="Custom" path="/" requireSsl="false" > 
          <!-- <customCookieHandler type="Microsoft.SharePoint.IdentityModel.SPChunkedCookieHandler, Microsoft.SharePoint.IdentityModel, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" /> -->
      <customCookieHandler type="MSNGN.Utility.MSNGNChunkedCookieHandler, MSNGN.Utility, Version=1.0.0.0, Culture=neutral, PublicKeyToken=38c82c65bfb6cec0" />
 </cookieHandler>


This class invokes its base methods for the most part, I just slightly modified the WriteCore event w/ logic that removes the https hard coded reference. 


using System;
using System.Web;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using Microsoft.SharePoint.IdentityModel;
using Microsoft.IdentityModel.Web;
using Microsoft.SharePoint.Administration;
using Microsoft.SharePoint.Administration.Claims;
 
namespace MSNGN.Utility
{
    /// <summary>
    /// This is an override of the Microsoft.SharePoint.IdentityModel.SPChunkedCookieHandler class
    /// with the WriteCore method extended to support both Secure & Non-Secure cookies
    /// </summary>
    public class MSNGNChunkedCookieHandler : Microsoft.SharePoint.IdentityModel.SPChunkedCookieHandler
    {
 
        private ChunkedCookieHandler m_CookieHandler;
 
        public MSNGNChunkedCookieHandler() : base()
        {
            this.m_CookieHandler = new ChunkedCookieHandler();
            this.m_CookieHandler.Path = "/";
        }
 
        public MSNGNChunkedCookieHandler(int chunkSize) : base(chunkSize)
        {
            this.m_CookieHandler = new ChunkedCookieHandler(chunkSize);
            this.m_CookieHandler.Path = "/";
        }
 
        protected override void DeleteCore(string name, string path, string domain, HttpContext context)
        {
            base.DeleteCore(name, path, domain, context);
        }
 
        protected override byte[] ReadCore(string name, HttpContext context)
        {
            return base.ReadCore(name, context);
        }
 
        /// <summary>
        /// Override of the WrieCore method to remove hard coded secure cookie flag
        /// which is required to support both http & non-http sessions
        /// </summary>
        protected override void WriteCore(byte[] value, string name, string path, string domain, DateTime expirationTime, bool secure, bool httpOnly, System.Web.HttpContext context)
        {
            //override the secure cookie setting
            //to enable both https & non https cookie sessions
            secure = false;
 
            if (context == null)
            {
                throw new ArgumentNullException("context");
            }
            if (context.Request == null)
            {
                throw new ArgumentException(null, "context");
            }
            if (null == context.Request.Url)
            {
                throw new ArgumentException(null, "context");
            }
 
            //if (string.Equals(context.Request.Url.Scheme, "https", StringComparison.OrdinalIgnoreCase))
            //{
            //    secure = true;
            //}
            //else
            //{
            //    secure = false;
            //}
            if (!string.Equals(path, "/", StringComparison.OrdinalIgnoreCase))
            {
                path = "/";
            }
            this.m_CookieHandler.Write(value, name, path, domain, expirationTime, secure, httpOnly, context);
 
 
        }
 
    }
}




Comments

There are no comments for this post.