Sharing Cookie between HTTP and HTTPS

In this part of the series, I’m going to cover how to allow SharePoint to use the same authentication cookie over HTTP and HTTPS.

When Windows Live authentication is used, the user is redirect to a Windows Live login page. After the user enters his email and password, Windows Live will validate the login information, and if the information is valid, the user is redirected back to our site.

Windows Live requires that the redirect URL use a secure connection. After Windows Live redirects back to SharePoint, SharePoint will create the authentication cookie which will be used to authenticate the future requests until the cookie expires.

When SharePoint creates the authentication ticket, it marks it as a secure cookie, which means any non-secure requests needs to be re-authenticated. If after the user logs in, he tries to browse the site using a non secure connection, he will be logged out and redirected back to the login page.

To overcome this problem, a custom cookie handler has to be created.

The code of the custom cookie hander can be found below

  class WindowsLiveChunkedCookieHandler : Microsoft.SharePoint.IdentityModel.SPChunkedCookieHandler
    {
        private ChunkedCookieHandler m_CookieHandler;
        public WindowsLiveChunkedCookieHandler()
            : base()
        {
            this.m_CookieHandler = new ChunkedCookieHandler();
            this.m_CookieHandler.Path = "/";
        }
        public WindowsLiveChunkedCookieHandler(int chunkSize)
            : base(chunkSize)
        {
            this.m_CookieHandler = new ChunkedCookieHandler(chunkSize);
            this.m_CookieHandler.Path = "/";
        }
        protected override void DeleteCore(string name, string path, string domain, HttpContext context)
        {
            base.DeleteCore(name, path, domain, context);
        }
        protected override byte[] ReadCore(string name, HttpContext context)
        {
            return base.ReadCore(name, context);
        }
        protected override void WriteCore(byte[] value, string name, string path, string domain, DateTime expirationTime, bool secure, bool httpOnly, System.Web.HttpContext context)
        {
            secure = false;
            if (context == null)
            {
                throw new ArgumentNullException("context");
            }
            if (context.Request == null)
            {
                throw new ArgumentException(null, "context");
            }
            if (null == context.Request.Url)
            {
                throw new ArgumentException(null, "context");
            }
            if (!string.Equals(path, "/", StringComparison.OrdinalIgnoreCase))
            {
                path = "/";
            }
            this.m_CookieHandler.Write(value, name, path, domain, expirationTime, secure, httpOnly, context);
        }
    }

 

The below configuration can be used to register the custom cookie handler

<cookieHandler mode="Custom" path="/" requireSsl="false" > 
          <!-- <customCookieHandler type="Microsoft.SharePoint.IdentityModel.SPChunkedCookieHandler, Microsoft.SharePoint.IdentityModel, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" /> -->
                <customCookieHandler type="WindowsLive.Registration.SharePoint.WindowsLiveChunkedCookieHandler, WindowsLive.Registration.SharePoint, Version=1.0.0.0, Culture=neutral, PublicKeyToken=77a7309d51d4bf85" />
</cookieHandler>