Asp Net Core with Identity not working after removing HTTPS

Question

I was trying to remove HTTPS to test some caching features and my authentication stopped working. I read that when using Identity authentication will stop working without HTTP, even a custom authentication cookie with an authentication scheme won't work either.

After I comment these 2 lines my app won't work anymore.

    // The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
    app.UseHsts();

    app.UseHttpsRedirection();

The use of HTTPS is not mandatory, the application is to be used on our intranet and I have used Identity just to manage users. What options do I have right now?

even with all this, when I try to login it redirects me back to login page, and this using a custom authentication cookie not indentity.

  services.AddAuthentication().AddCookie(AuthenticationSchemes.Production, options =>
        {
            options.ExpireTimeSpan = TimeSpan.FromHours(8);
            options.LoginPath = new PathString("/Login");
            options.LogoutPath = new PathString("/Logout");
            options.Cookie.HttpOnly = true;
            options.AccessDeniedPath = new PathString("/AccessDenied");
            options.SlidingExpiration = true;
            options.Cookie.Name = "NoPaper.Production";
            options.ExpireTimeSpan = TimeSpan.FromHours(8);
        });

UPDATE

It seems the only solution that worked was to create a new project without https and just copy everything from the other and install nuget packages and it worked.

score 0 · Answer 1 · answered May 29 '20 at 13:26

0

Please explain more detail about the Authentication not working, is there any error? Try to use F12 developer tools to check it. And please make sure you are not using the ex

As far as I know, when we create dotnet core application via Visual Studio, if we select the Individual User Accounts(using Identity), it will generally force the usage of https for best practice reasons.

In this scenario, to disable HTTPS, we could refer to the following steps:

remove the UseHttpsRedirection from the Startup.cs:
```
app.UseHsts();  
app.UseHttpsRedirection();
```
Right click the project, and click the Properties, in the Debug tab, unchecked the Enable SSL option. Then, the application will be launched using HTTP requests.

If you are not using the Visual Studio, you could also removing the SSL references in the launchSettings.json file:

Besides, please make sure you are not using the external authentication services in your application. I have created new dotnet core application and use above method to disable HTTPS, and then, I could use Identity to register a new user and login.

answered May 29 '20 at 13:26

Zhi Lv

18,845
1
19
30

I have tried all of this, there is no error, just it won't let me authenticate – Jackal May 29 '20 at 13:33
First, I want to confirm with you that after using above method, you have success disable the HTTPS, and it will use the HTTP request successful, right? And now, the question is it won't let user authenticate. When does this problem occur，user login or register a user? You could try to set break point in this part of code, and check where does this problem occur? If you can't find the Login or Register page, please check [this link](https://stackoverflow.com/questions/50802781/).Besides, please make sure have added the `app.UseAuthorization();` and `app.UseAuthentication();` in the Startup.cs. – Zhi Lv May 29 '20 at 14:10
i have done verything and won't me login, it redirects back to login page. I'm not even using Identity cookie on this login page – Jackal May 29 '20 at 14:22
From your description and the provide code, it seems that you have added some configuration for the Identity in the Startup.cs file, please compare it with the new application (without Https), might be you could find the difference. Besides, you could post the related code in the Startup.cs, it might be easier for us to find out the real reason. – Zhi Lv Jun 02 '20 at 10:14

score 0 · Answer 2 · edited Aug 08 '23 at 00:32

I had the same problem as you. I solved it by changing CookieSecurePolicy.Always to CookieSecurePolicy.None in my Startup.cs:

services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme).AddCookie(config =>
{
    config.Cookie.HttpOnly = true;
    config.Cookie.SecurePolicy = CookieSecurePolicy.None;
    config.Cookie.SameSite = SameSiteMode.Lax;
    config.Cookie.Name = CookieAuthenticationDefaults.AuthenticationScheme;
});

CookieSecurePolicy.Always avoids access to Cookies if you are not using SSL. Therefore, by changing it to CookieSecurePolicy.None, you annihilate that.

Asp Net Core with Identity not working after removing HTTPS

2 Answers2