IIS 7.0 Forms Authentication and Embedded Media Players

One of the useful benefits of IIS 7.0 and the ASP.NET Integrated mode is the ability to protect all content using ASP.NET Forms Authentication. 

In the past, people would often protect the application pages themselves, and leave images and media content open for public access.  It wasn’t easy to extend the same internet-based authentication scheme to static content unless the static content was served through custom handlers.  Even this wasn’t a perfect solution as you’d often lose performance and static content features such as static compression and ranged request support.

With IIS 7.0, you can configure Forms Authentication and Url Authorization rules once for the entire site, and rest easy knowing that your ASPX pages, PHP scripts, HTML files and media content is protected from unauthorized access.

Unfortunately, if you are serving web video using embedded video players, you may see that your embedded player becomes broken when using forms authentication.  E.g. an embedded Windows Media Player may yeild this:

Embedded Windows Media Player fails when Forms Authentication is enabled 

Why does this happen?

Here is why.  When you log in to your site using Forms Authentication, you are typically issued a cookie that contains your authentication ticket.  On subsequent requests, the browser sends this cookie and the server automatically authenticates you.

When the embedded media player makes a request to retrieve the media content, it automatically forwards the browser cookies for that domain. This should ensure that the server can authenticate the media player’s request and return the media file.

Unfortunately, this does not happen for Forms Authentication. 

This is because when we developed ASP.NET 2.0, we made a decision to mark the Forms Authentication cookie with the HttpOnly attribute.  This attribute prevents script from being able to access the cookie – thereby blocking potential Cross-Site Scripting (XSS) attacks aimed at stealing the authentication cookie.

Because of this security measure, the embedded media player does not have access to the Forms Authentication cookie, and is unable to retrieve the media content if it is protected by Forms Authentication.

To workaround, we can remove the HttpOnly attribute from Forms Authentication cookies when they are issued.

WARNING: This may make your authentication ticket more vulnerable to stealing, if someone can successfully carry out a cookie-stealing XSS attack.

1) Place this code in global.asax in the application root:

<script runat="server" language="c#">

void Application_PreSendRequestHeaders(Object source, EventArgs e)

{

      HttpApplication app = (HttpApplication)source;

     

      HttpCookieCollection cookies = app.Context.Response.Cookies;

      if (cookies != null)

      {

        foreach(string name in cookies)

        {

          HttpCookie cookie = cookies[name];

            if (cookie.Name.Equals(FormsAuthentication.FormsCookieName, StringComparison.OrdinalIgnoreCase))

            {

                  cookie.HttpOnly = false;

                  break;

            }

        }

      }

}

</script>

2) Make sure to set <modules runAllManagedModulesForAllRequests="true" /> in the application web.config to allow this code to run for media content.

Other alternatives:

1)      Make your media content publically available

2)      Use cookie-less Forms Authentication in the application, and use relative media urls with the media player or insert the cookieless ticket in the embedded media player urls.

Using cookie-less forms authentication is also not a great option, as it may make the entire application more vulnerable to the url-based ticket threats.  For more, see “Client Ticket Security” in http://msdn.microsoft.com/en-us/magazine/cc163702.aspx.

Hopefully this helps demystify this issue. Happy (media) serving!

 

Mike
Share this post: email it! | bookmark it! | digg it! | reddit! | kick it! | live it!
Published 16 November 08 05:04 by Mike Volodarsky
Filed under: , , ,

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

# MVolo's Blog said on November 16, 2008 6:18 PM:

One of the useful benefits of IIS 7.0 and the ASP.NET Integrated mode is the ability to protect all content

# Mark said on November 16, 2008 7:11 PM:
Mike, I also get the exact same error message in the following circumstance: - Cookieless forms authentication - Left-clicking a webpage link to a protected .wmv file. Firstly you are directed to the login page and following successful login, this launches media player on the client and produces the error message. This happens even if the user was previously authenticated. Given this is for cookieless authentication and the fact it's not an embedded player, do you have any idea why this would be happening and are there any work-arounds for this precise situation? The only thing I can tell from the IIS log is the media player appears to be requesting authentication again (login form entries are shown in the log but not seen visibly during execution). Many thanks, Mark
# Mike Volodarsky said on November 17, 2008 11:36 AM:

Hi Mark,

My guess is that the media url for the player is not relative, or does not explicitly contain the cookieless token.  

Check the server logs - do you see the player providing the cookieless tokens in the url when it requests the media content? Additionally, the content typically must be in the same application for the authentication token to work.

Thanks,

Mike

# Tanveer Badar said on November 17, 2008 12:10 PM:
You know what, my mouse happened to be exactly on Close button, and I clicked about five times and then noticed it was a picture.
# said on November 21, 2008 10:22 AM:

Hi Mike,

Yes you're right, my apologies.  I was being silly and thought I had cookieless authentication in operation when it was session state all along.  So I was in fact using cookie based authentication which is why it wasn't working, as you've already recognised.

Switching to cookieless does indeed work, as does your code for cookie based authentication.  It works a treat so thank you for the solution.  I searched high and low for the answer and this blog was the only place I could find it so thanks very much Mike for helping with this.

Regards,

Mark

# Mike Volodarsky said on December 5, 2008 4:17 PM:

You are welcome, glad to help!

Mike

# travel guru said on February 16, 2009 8:06 AM:
thank you so very much i have been looking for this !
# johnny said on February 24, 2009 7:23 AM:
Really short but useful howto. Thanks. johnny
# aspmark said on June 30, 2009 2:49 PM:
Mike, I was just wondering whether you knew if there were any plans to ensure later versions of windows media player would read httponly cookies by default? This problem doesn't seem to manifest itself with other players so it doesn't seem to be a general client/player issue but something specific to the windows player. Many thanks, Mark
# jaymo said on August 3, 2009 3:31 PM:
Mike, do these changes effect cross application support in IIS 7 for forms authentication also? I'm using the IIS 6 syntax of setting identical Forms and machineKey elements in both applications, but when I switch from Application 1 to Application 2 i get redirected to my login page. It does prove that Application 2 is at least understanding the loginUrl because it's sending me to the correct page, but it's not passing authentication. thanks, Jay
# Johhny said on August 6, 2009 10:10 AM:
Thanks for the information, Mike, it definitely resolved the issue in Internet Explorer. However, I'm still unable to get WMVs to play in other browsers (chrome, opera, firefox, safari). What happens is that after clicking on the link to the WMV file, the embedded windows media player appears, reports "opening media", then "connecting", then "ready", but the video never starts. Clicking on the play button flashes "opening media" then "ready", but does not play the video. This problem only happens with WMV files placed in a directory with a .net application using forms authentication. If I copy the WMV into a directory outside of the application (or temporarily rename web.config), it will play the WMV fine. In addition, the problem only appears to happen with WMV files - MP4 files play fine within the application (using an embedded quicktime player). Any ideas?
# NewsPeeps said on August 8, 2009 1:21 PM:

Thank you for submitting this cool story - Trackback from NewsPeeps

# Alam said on March 31, 2010 8:01 AM:
That is what I need, thank you very much!
# Shane said on February 4, 2011 11:51 PM:
Thanks, for the script. I needed that
# Hari said on March 8, 2011 9:18 PM:
Mike, What I have observed in one of the web application, we have custom login form and the authentication mode is set to windows. And instead of media player we have appletviewer which display images from server similar issue has occured and your solution has fixed the issue. My query is - Is this not fixed at IIS level though as I am using IIS7.5 on windows R2 and I see a setting on IIS for webapp httponly cookie set to false but still it doesn't work any idea why setting fails and I have to write the code in global.asax.
# Nissan servis beograd said on April 26, 2011 7:21 AM:
First time around, I forgot to edit web.config, but after I fixed that, it worked like a charm. Thanks Mike, great blog!
# said on April 29, 2011 4:46 AM:

Chaussures Nike Sale: http://www.maxpascher.com

Leave a Comment

(required) 
(optional)
(required) 
Enter the code you see below


About Mike Volodarsky

For the past 5 years, I was the core Program Manager for Microsoft ASP.NET 2.0 and IIS 7.0 products. I drove the design and development of the IIS 7.0 web server core, the IIS FastCGI support, the AppCmd command line tool, the ASP.NET Integrated pipeline, and other special projects around server security, performance, and scalability. Now, I am working on my own on cutting edge web server tech on top of the Microsoft IIS platform, and continue blogging about it here.

About me



Until 2008, I was the core server Program Manager for the IIS 7.0 and ASP.NET 2.0 products at Microsoft.


View Michael Volodarsky's profile on LinkedIn


This is my company. We build expert performance and scalability tech for web applications on the Windows Server stack.
LeanServer Sentinel: Explore and instantly diagnose your production ASP.NET applications Sentinel beta starts on August 3rd! Register now!


Writings



TechNet Magazine
>Top 10 Performance Improvements in IIS 7.0

MSDN Magazine
>IIS 7.0: Build Web Server Solutions with End-To-End Extensibility
>IIS 7.0: Enhance Your Apps with the Integrated ASP.NET Pipeline
>IIS 7.0: Explore The Web Server For Windows Vista And Beyond
>Design and Deploy Secure Web Apps with ASP.NET 2.0 and IIS 6.0
>Fast, Scalable, and Secure Session State Management for Your Web Applications


Tools and Modules

LeechGuard
IconHandler 2.0
DirectoryListing
HttpRedirection
IIS Auth for Wordpress
iisschema.exe
PortCheck.exe v2.0

Popular Posts

- ASP.NET 2.0 Breaking Changes on IIS 7.0
- Develop IIS7 modules and handlers with .NET
- Troubleshoot IIS7 errors like a pro
- Troubleshooting 503 / "service unavailable" errors
- Troubleshooting "server not found" errors
- Create IIS7 sites, applications, and virtual directories
- Run Ruby on Rails with IIS FastCGI
- VS Debugging of ASP.NET applications on Windows Vista
- Stop hot-linking with IIS and ASP.NET

Tags

Search

Go

This Blog

Archives

Good IIS Blogs

Disclaimer

These postings are provided as is with no warranties, and confer no rights. The views expressed in this blog are entirely my own.

Syndication