Is it possible to have a personalized ASP.NET web app with only some SSL pages?

Question

I have a web application that once signed in, personalizes almost all pages.

I want to be able to have some very specific pages locked down with SSL that may have sensitive information. From what I have been able to find, once you sign in via an SSL sign in page (area of the web site), the session information which I use to store a lot of personalization and user credentials is not available to the non SSL portion of the web site since they are considered 2 seperate applications.

This MSDN document pretty much says what I am talking about: MSDN Doc

Note: If you use this type of site structure, your application must not rely on the user's identity on the non-SSL pages. In the preceding configuration, no forms authentication ticket is sent for requests for non-SSL pages. As a result, the user is considered anonymous. This has implications for related features, such as personalization, that require the user name.

I am also not using forms authentication. When a user signs in a session object is made storing their credentials including their IP. If this session object exists for a particular user with the same IP then they are considered 'signed in' and the personalization features are enabled.

So my question is, are there any work arounds to this so that say my sign in page and some other page are using SSL, the reset of the site is not, and all pages have access to the same session variables?

If not can anyone suggest any other methods of accomplishing the same type of personalization features?

Answer 1

Since there are no comments, I thought I'd offer an inelegent but practical solution.

Leave the RequireHTTPS off in your forms authentication configuration block.

Next, you create a custom class that implements IHttpModule. This interface has an Init method that takes a HTTPApplication instance as an argument. You can then attach to the "AuthenticateRequest" event on this instance.

From here, you can 302-redirect any requests that come in without SSL when they should do. You'd probably want to drive which pages require SSL from a custom configuration section in your web.config.

To use this class for your requests, you have to add a line to the HttpModules section of the web.config.