Mixing it up w/ Mixed SSL & SP 2010

The following is a post written by Tim Nugiel with instructions for creating a custom cookie handler for mixed mode authentication.  I reference it in my blog post Mixed Http and Https Content with SharePoint 2010. The original article was posted at: http://www.msngn.com/blog/lists/posts/post.aspx?id=5. I’ve reposted it here, as the original article appears to have gone offline.


Here is some very good reading if you want to learn more on the inner workings of federated authentication models w/ claims & sp2010:
So after much digging with firebug + the Firefox webdev extension to inspect my http sessions, I discovered 2 funny things about the cookie SharePoint is setting

1) It ignores most of the settings we put in our <forms tag and uses its own (see below)

2) No matter what attributes I set, the cookie was being written as a secure cookie, which prevented it from being transmitted via non-secure http requests
I inspected the web.config some more and discovered that SharePoint is using a custom cookie handler to read/write cookies:

<cookieHandler mode="Custom" path="/">
<customCookieHandler type="Microsoft.SharePoint.IdentityModel.SPChunkedCookieHandler, Microsoft.SharePoint.IdentityModel, Version=, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />

Enter Reflector:

once I opened up this class in reflector and traced the life of a cookie during an authentication session, it turned out that there was a hardcoded reference to the https protocol in the WriteCore method – this was trumping any of the manual settings we were trying to add in the web.config


The Fix:
Fortunately a custom cookie handler class is not that complex, so I created a new MSNGNChunkedCookieHandler class and updated the web.config entry
<cookieHandler mode="Custom" path="/" requireSsl="false" > 
 <!-- <customCookieHandler type="Microsoft.SharePoint.IdentityModel.SPChunkedCookieHandler, Microsoft.SharePoint.IdentityModel, Version=, Culture=neutral, PublicKeyToken=71e9bce111e9429c" /> -->
 <customCookieHandler type="MSNGN.Utility.MSNGNChunkedCookieHandler, MSNGN.Utility, Version=, Culture=neutral, PublicKeyToken=38c82c65bfb6cec0" />

This class invokes its base methods for the most part, I just slightly modified the WriteCore event w/ logic that removes the https hard coded reference.

using System;
using System.Web;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using Microsoft.SharePoint.IdentityModel;
using Microsoft.IdentityModel.Web;
using Microsoft.SharePoint.Administration;
using Microsoft.SharePoint.Administration.Claims;
namespace MSNGN.Utility
 /// <summary>
 /// This is an override of the Microsoft.SharePoint.IdentityModel.SPChunkedCookieHandler class
 /// with the WriteCore method extended to support both Secure & Non-Secure cookies
 /// </summary>
 public class MSNGNChunkedCookieHandler : Microsoft.SharePoint.IdentityModel.SPChunkedCookieHandler
 private ChunkedCookieHandler m_CookieHandler;
 public MSNGNChunkedCookieHandler() : base()
 this.m_CookieHandler = new ChunkedCookieHandler();
 this.m_CookieHandler.Path = "/";
 public MSNGNChunkedCookieHandler(int chunkSize) : base(chunkSize)
 this.m_CookieHandler = new ChunkedCookieHandler(chunkSize);
 this.m_CookieHandler.Path = "/";
 protected override void DeleteCore(string name, string path, string domain, HttpContext context)
 base.DeleteCore(name, path, domain, context);
 protected override byte[] ReadCore(string name, HttpContext context)
 return base.ReadCore(name, context);
 /// <summary>
 /// Override of the WrieCore method to remove hard coded secure cookie flag
 /// which is required to support both http & non-http sessions
 /// </summary>
 protected override void WriteCore(byte[] value, string name, string path, string domain, DateTime expirationTime, bool secure, bool httpOnly, System.Web.HttpContext context)
 //override the secure cookie setting
 //to enable both https & non https cookie sessions
 secure = false;
 if (context == null)
 throw new ArgumentNullException("context");
 if (context.Request == null)
 throw new ArgumentException(null, "context");
 if (null == context.Request.Url)
 throw new ArgumentException(null, "context");
 //if (string.Equals(context.Request.Url.Scheme, "https", StringComparison.OrdinalIgnoreCase))
 // secure = true;
 // secure = false;
 if (!string.Equals(path, "/", StringComparison.OrdinalIgnoreCase))
 path = "/";
 this.m_CookieHandler.Write(value, name, path, domain, expirationTime, secure, httpOnly, context);






3 responses to “Mixing it up w/ Mixed SSL & SP 2010”

  1. Juel Avatar

    Great post, but can you provide a Little more info on the reflector process, where to edit, and how? I can find Microsoft.SharePoint.IdentityModel but not Microsoft.SharePoint.IdentityModel.SPChunkedCookieHandler, and there is no cookiehandler in my web.config.
    Can you provide a Little help?

    Kind regards

    1. Chris Coulson Avatar

      Have you read this article yet:


      You can see SPChunkedCookieHandler if you open Microsoft.SharePoint.IdentityModel from the GAC. Note this is from version 14 (SharePoint 2010).

      Also, there’s no real editing of files (You don’t use ilspy/reflector to make the change) – you have to create MSNGNChunkedCookieHandler in your own assembly/SharePoint project in Visual Studio.

      Also, are you on SP 2010? Because it’s possible this functionality has changed in SP 2013 or 2016.

Leave a Reply

Your email address will not be published. Required fields are marked *