{"id":271,"date":"2014-11-05T09:58:32","date_gmt":"2014-11-05T14:58:32","guid":{"rendered":"http:\/\/blogs.visigo.com\/chriscoulson\/?p=271"},"modified":"2014-11-05T09:58:32","modified_gmt":"2014-11-05T14:58:32","slug":"mixing-it-up-w-mixed-ssl-sp-2010","status":"publish","type":"post","link":"https:\/\/blogs.visigo.com\/chriscoulson\/mixing-it-up-w-mixed-ssl-sp-2010\/","title":{"rendered":"Mixing it up w\/ Mixed SSL & SP 2010"},"content":{"rendered":"

The following is a post written by Tim Nugiel<\/strong> with instructions for creating a custom cookie handler for mixed mode authentication. \u00a0I reference it in my blog post\u00a0Mixed Http and Https Content with SharePoint 2010<\/a>. The original article was posted at:\u00a0http:\/\/www.msngn.com\/blog\/lists\/posts\/post.aspx?id=5<\/a>. I’ve reposted it here, as the original article appears to have gone offline.<\/em><\/p>\n

 <\/p>\n

Here is some very good reading if you want to learn more on the inner workings of federated authentication models w\/ claims & sp2010:
\nhttp:\/\/msdn.microsoft.com\/en-us\/library\/ee517293.aspx<\/a>
\nSo after much digging with firebug + the Firefox webdev extension to inspect my http sessions, I discovered 2 funny things about the cookie SharePoint is setting<\/p>\n

1) It ignores most of the settings we put in our <forms tag and uses its own (see below)<\/p>\n

2) No matter what attributes I set, the cookie was being written as a secure cookie, which prevented it from being transmitted via non-secure http requests
\nssl_securecookie.png
\nI inspected the web.config some more and discovered that SharePoint is using a custom cookie handler to read\/write cookies:<\/p>\n

\r\n<cookieHandler mode=\"Custom\" path=\"\/\">\r\n<customCookieHandler type=\"Microsoft.SharePoint.IdentityModel.SPChunkedCookieHandler, Microsoft.SharePoint.IdentityModel, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c\" \/>\r\n<\/cookieHandler>?<\/pre>\n
Enter Reflector:<\/p>\n
once I opened up this class in reflector and traced the life of a cookie during an authentication session, it turned out that there was a hardcoded reference to the https protocol in the WriteCore method \u2013 this was trumping any of the manual settings we were trying to add in the web.config<\/p>\n
ssl_reflector.png<\/p>\n
The Fix:\r\n \r\nFortunately a custom cookie handler class is not that complex, so I created a new MSNGNChunkedCookieHandler class and updated the web.config entry\r\n \r\n<cookieHandler mode=\"Custom\" path=\"\/\" requireSsl=\"false\" > \r\n <!-- <customCookieHandler type=\"Microsoft.SharePoint.IdentityModel.SPChunkedCookieHandler, Microsoft.SharePoint.IdentityModel, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c\" \/> -->\r\n <customCookieHandler type=\"MSNGN.Utility.MSNGNChunkedCookieHandler, MSNGN.Utility, Version=1.0.0.0, Culture=neutral, PublicKeyToken=38c82c65bfb6cec0\" \/>\r\n <\/cookieHandler><\/pre>\n
This class invokes its base methods for the most part, I just slightly modified the WriteCore event w\/ logic that removes the https hard coded reference.<\/p>\n
using System;\r\nusing System.Web;\r\nusing System.Collections.Generic;\r\nusing System.Linq;\r\nusing System.Text;\r\nusing Microsoft.SharePoint.IdentityModel;\r\nusing Microsoft.IdentityModel.Web;\r\nusing Microsoft.SharePoint.Administration;\r\nusing Microsoft.SharePoint.Administration.Claims;\r\n \r\nnamespace MSNGN.Utility\r\n{\r\n \/\/\/ <summary>\r\n \/\/\/ This is an override of the Microsoft.SharePoint.IdentityModel.SPChunkedCookieHandler class\r\n \/\/\/ with the WriteCore method extended to support both Secure & Non-Secure cookies\r\n \/\/\/ <\/summary>\r\n public class MSNGNChunkedCookieHandler : Microsoft.SharePoint.IdentityModel.SPChunkedCookieHandler\r\n {\r\n \r\n private ChunkedCookieHandler m_CookieHandler;\r\n \r\n public MSNGNChunkedCookieHandler() : base()\r\n {\r\n this.m_CookieHandler = new ChunkedCookieHandler();\r\n this.m_CookieHandler.Path = \"\/\";\r\n }\r\n \r\n public MSNGNChunkedCookieHandler(int chunkSize) : base(chunkSize)\r\n {\r\n this.m_CookieHandler = new ChunkedCookieHandler(chunkSize);\r\n this.m_CookieHandler.Path = \"\/\";\r\n }\r\n \r\n protected override void DeleteCore(string name, string path, string domain, HttpContext context)\r\n {\r\n base.DeleteCore(name, path, domain, context);\r\n }\r\n \r\n protected override byte[] ReadCore(string name, HttpContext context)\r\n {\r\n return base.ReadCore(name, context);\r\n }\r\n \r\n \/\/\/ <summary>\r\n \/\/\/ Override of the WrieCore method to remove hard coded secure cookie flag\r\n \/\/\/ which is required to support both http & non-http sessions\r\n \/\/\/ <\/summary>\r\n protected override void WriteCore(byte[] value, string name, string path, string domain, DateTime expirationTime, bool secure, bool httpOnly, System.Web.HttpContext context)\r\n {\r\n \/\/override the secure cookie setting\r\n \/\/to enable both https & non https cookie sessions\r\n secure = false;\r\n \r\n if (context == null)\r\n {\r\n throw new ArgumentNullException(\"context\");\r\n }\r\n if (context.Request == null)\r\n {\r\n throw new ArgumentException(null, \"context\");\r\n }\r\n if (null == context.Request.Url)\r\n {\r\n throw new ArgumentException(null, \"context\");\r\n }\r\n \r\n \/\/if (string.Equals(context.Request.Url.Scheme, \"https\", StringComparison.OrdinalIgnoreCase))\r\n \/\/{\r\n \/\/ secure = true;\r\n \/\/}\r\n \/\/else\r\n \/\/{\r\n \/\/ secure = false;\r\n \/\/}\r\n if (!string.Equals(path, \"\/\", StringComparison.OrdinalIgnoreCase))\r\n {\r\n path = \"\/\";\r\n }\r\n this.m_CookieHandler.Write(value, name, path, domain, expirationTime, secure, httpOnly, context);\r\n \r\n \r\n }\r\n \r\n }\r\n}<\/pre>\n","protected":false},"excerpt":{"rendered":"
The following is a post written by Tim Nugiel with instructions for creating a custom cookie handler for mixed mode authentication. \u00a0I reference it in my blog post\u00a0Mixed Http and Https Content with SharePoint 2010. The original article was posted at:\u00a0http:\/\/www.msngn.com\/blog\/lists\/posts\/post.aspx?id=5. I’ve reposted it here, as the original article appears to have gone offline.   […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-271","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/blogs.visigo.com\/chriscoulson\/wp-json\/wp\/v2\/posts\/271","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogs.visigo.com\/chriscoulson\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.visigo.com\/chriscoulson\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.visigo.com\/chriscoulson\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.visigo.com\/chriscoulson\/wp-json\/wp\/v2\/comments?post=271"}],"version-history":[{"count":1,"href":"https:\/\/blogs.visigo.com\/chriscoulson\/wp-json\/wp\/v2\/posts\/271\/revisions"}],"predecessor-version":[{"id":272,"href":"https:\/\/blogs.visigo.com\/chriscoulson\/wp-json\/wp\/v2\/posts\/271\/revisions\/272"}],"wp:attachment":[{"href":"https:\/\/blogs.visigo.com\/chriscoulson\/wp-json\/wp\/v2\/media?parent=271"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.visigo.com\/chriscoulson\/wp-json\/wp\/v2\/categories?post=271"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.visigo.com\/chriscoulson\/wp-json\/wp\/v2\/tags?post=271"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}