A more description error when there's an attempt to login over HTTP c…

…onnection, when HTTPS is required for cookies.
Orckestra · Mar 13, 2020 · d2092c6 · d2092c6
1 parent 8593d3f
commit d2092c6
Showing 1 changed file with 11 additions and 2 deletions.
diff --git a/...LoginSessionStores/HttpContextBasedLoginSessionStore/HttpContextBasedLoginSessionStore.cs b/...LoginSessionStores/HttpContextBasedLoginSessionStore/HttpContextBasedLoginSessionStore.cs
@@ -51,9 +51,18 @@ private static void StoreUsernameImpl(string userName, bool persistAcrossSession
             cookie.HttpOnly = true;
 
             var context = HttpContext.Current;
-            if (context != null && context.Request.IsSecureConnection)
+            if (context != null)
             {
-                cookie.Secure = true;
+                if (context.Request.IsSecureConnection)
+                {
+                    cookie.Secure = true;
+                }
+                else if (cookie.Secure)
+                {
+                    throw new InvalidOperationException(
+                        "A login attempt over a not secure connection, when system.web/httpCookies/@requireSSL is set to 'true'. " +
+                        "Either secure connection should be required for console login, or SSL should not be required for cookies.");
+                }
             }
 
             if (persistAcrossSessions)