​UPDATE

Chris Coulson wrote a detailed post on his blog about this topic (with very easy to follow steps).  Very nice work Chris! 

Very good reading if you want to learn more on the inner workings of federated authentication models w/ claims & sp2010:
http://msdn.microsoft.com/en-us/library/ee517293.aspx

   

So after much digging with  firebug + the Firefox webdev extension to inspect my http sessions, I discovered 2 funny things about the cookie SharePoint is setting

  

1)      It ignores most of the settings we put in our <forms tag and uses its own (see below)

2)      No matter what attributes I set, the cookie was being written as a secure cookie, which prevented it from being transmitted via non-secure http requests

 

 

I inspected the web.config some more and discovered that SharePoint is using a custom cookie handler to read/write cookies: 

        <cookieHandler mode="Custom" path="/">

 

<customCookieHandler type="Microsoft.SharePoint.IdentityModel.SPChunkedCookieHandler, Microsoft.SharePoint.IdentityModel, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />

 

        </cookieHandler>

 

Enter Reflector:

once I opened up this class in reflector and traced the life of a cookie during an authentication session, it turned out that there was a hardcoded reference to the https protocol in the WriteCore method – this was trumping any of the manual settings we were trying to add in the web.config

 

 

The Fix:

 

Fortunately a custom cookie handler class is not that complex, so I created a new MSNGNChunkedCookieHandler class and updated the web.config entry

        

<cookieHandler mode="Custom" path="/" requireSsl="false" >
          <!-- <customCookieHandler type="Microsoft.SharePoint.IdentityModel.SPChunkedCookieHandler, Microsoft.SharePoint.IdentityModel, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" /> -->
                <customCookieHandler type="MSNGN.Utility.MSNGNChunkedCookieHandler, MSNGN.Utility, Version=1.0.0.0, Culture=neutral, PublicKeyToken=38c82c65bfb6cec0" />
        </cookieHandler>

 

This class invokes its base methods for the most part, I just slightly modified the WriteCore event w/ logic that removes the https hard coded reference. 

 

=== BEGIN CODE BLOCK ===

 

using System;

using System.Web;

using System.Collections.Generic;

using System.Linq;

using System.Text;

using Microsoft.SharePoint.IdentityModel;

using Microsoft.IdentityModel.Web;

using Microsoft.SharePoint.Administration;

using Microsoft.SharePoint.Administration.Claims;

 

namespace MSNGN.Utility

{

    /// <summary>

    /// This is an override of the Microsoft.SharePoint.IdentityModel.SPChunkedCookieHandler class

    /// with the WriteCore method extended to support both Secure & Non-Secure cookies

    /// </summary>

    public class MSNGNChunkedCookieHandler : Microsoft.SharePoint.IdentityModel.SPChunkedCookieHandler

    {

 

        private ChunkedCookieHandler m_CookieHandler;

 

        public MSNGNChunkedCookieHandler() : base()

        {

            this.m_CookieHandler = new ChunkedCookieHandler();

            this.m_CookieHandler.Path = "/";

        }

 

        public MSNGNChunkedCookieHandler(int chunkSize) : base(chunkSize)

        {

            this.m_CookieHandler = new ChunkedCookieHandler(chunkSize);

            this.m_CookieHandler.Path = "/";

        }

 

        protected override void DeleteCore(string name, string path, string domain, HttpContext context)

        {

            base.DeleteCore(name, path, domain, context);

        }

 

        protected override byte[] ReadCore(string name, HttpContext context)

        {

            return base.ReadCore(name, context);

        }

 

        /// <summary>

        /// Override of the WrieCore method to remove hard coded secure cookie flag

        /// which is required to support both http & non-http sessions

        /// </summary>

        protected override void WriteCore(byte[] value, string name, string path, string domain, DateTime expirationTime, bool secure, bool httpOnly, System.Web.HttpContext context)

        {

            //override the secure cookie setting

            //to enable both https & non https cookie sessions

            secure = false;

 

            if (context == null)

            {

                throw new ArgumentNullException("context");

            }

            if (context.Request == null)

            {

                throw new ArgumentException(null, "context");

            }

            if (null == context.Request.Url)

            {

                throw new ArgumentException(null, "context");

            }

 

            //if (string.Equals(context.Request.Url.Scheme, "https", StringComparison.OrdinalIgnoreCase))

            //{

            //    secure = true;

            //}

            //else

            //{

            //    secure = false;

            //}

            if (!string.Equals(path, "/", StringComparison.OrdinalIgnoreCase))

            {

                path = "/";

            }

            this.m_CookieHandler.Write(value, name, path, domain, expirationTime, secure, httpOnly, context);

 

 

        }

 

    }

}

 

 

 

=== END CODE BLOCK ===

I also threw together a quick “SSLTrafficCop” http module to route requests to either the secure or non-secure channel.  At the moment, the logic directs requests to the following paths to HTTPS, the other requests are routed through HTTP.  We can think about the best place to store these settings where they can be more configurable, but for now this will work for the remote authors.

 

  

To install the traffic cop, simply add the following entry to our ever growing list of modules in the web.config.   This should only be installed on machines with valid SSL certs, so probably best to leave this setting off of the dev machines.