ASP.NET and SSL question

S

Steve S

Hi,
I have an ASP.NET 2.0 application with an ASP.NET login control in the
master page. The user can only access the home page without logging in, all
the other pages require authentication. Once the user has logged in the
login control is hidden.

To secure the users name and password does this mean my entire web site
should use SSL or can I get away with just using SSL on the home page where
they login?

Please feel free to ask for more information.
Thanks
Steve
 
E

Eliyahu Goldin

My understanding is that the scope of using SSL is one http request. So if
you navigate from the home page to other pages with https://..., you will
use SSL. If you do with http, you won't.

I am not sure though if you will remain in the same application as you
switch from http to https. Give it a try and see if the user remains
authenticated.

--
Eliyahu Goldin,
Software Developer
Microsoft MVP [ASP.NET]
http://msmvps.com/blogs/egoldin
http://usableasp.net
 
S

Steve S

Hi Eliyahu,
Thanks for the reply. I will test this out but I'm not at that stage, I'm
trying to get a heads up and work out the best way to approach this.

I've seen websites where you login under http you are then redirected to a
https page for authentication and then you can access the rest of the web
site under http for example www.king.com. I'm wondering if I could do
something similar in ASP.NET.

Cheers
Steve
Eliyahu Goldin said:
My understanding is that the scope of using SSL is one http request. So if
you navigate from the home page to other pages with https://..., you will
use SSL. If you do with http, you won't.

I am not sure though if you will remain in the same application as you
switch from http to https. Give it a try and see if the user remains
authenticated.

--
Eliyahu Goldin,
Software Developer
Microsoft MVP [ASP.NET]
http://msmvps.com/blogs/egoldin
http://usableasp.net


Steve S said:
Hi,
I have an ASP.NET 2.0 application with an ASP.NET login control in the
master page. The user can only access the home page without logging in,
all the other pages require authentication. Once the user has logged in
the login control is hidden.

To secure the users name and password does this mean my entire web site
should use SSL or can I get away with just using SSL on the home page
where they login?

Please feel free to ask for more information.
Thanks
Steve
Click to expand...
Click to expand...
 
N

Naraendirakumar R.R.

From my experience the user still remains authenticated as long as the forms
authentication cookie is not marked as a secure cookie. Best I can
remember the forms authentication cookie is not marked as secure by default.

Eliyahu Goldin said:
My understanding is that the scope of using SSL is one http request. So if
you navigate from the home page to other pages with https://..., you will
use SSL. If you do with http, you won't.

I am not sure though if you will remain in the same application as you
switch from http to https. Give it a try and see if the user remains
authenticated.

--
Eliyahu Goldin,
Software Developer
Microsoft MVP [ASP.NET]
http://msmvps.com/blogs/egoldin
http://usableasp.net


Steve S said:
Hi,
I have an ASP.NET 2.0 application with an ASP.NET login control in the
master page. The user can only access the home page without logging in,
all the other pages require authentication. Once the user has logged in
the login control is hidden.

To secure the users name and password does this mean my entire web site
should use SSL or can I get away with just using SSL on the home page
where they login?

Please feel free to ask for more information.
Thanks
Steve
Click to expand...
Click to expand...
 
G

George Ter-Saakov

It all depends.

Just to secure user name and password all you need is an https on the page
that actually transmits user name and password (home page in your case).

the rest of the site might not use SSL.
SSL only protects information passed between browser and server. So on any
given page you might need to make an assessment if that page has information
that needs to be encrypted by SSL or not. If not then you use http.

There is another side called User experience. Regular users know little
about SSL and how it works.
So they can freak out if they do not see that "lock" icon in the browser. So
very often you need to make the whole section of the site to be using SSL.
Like on my E-commerce site if you go to Checkout then even page where you
chose your shipping method is using SSL. Simply because I will hard time to
explain (hence lost sales) that no one cares if that user wants to ship it
with UPS or FedEx

George.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Problem with a login script, SESSION user rights and put this together so it works with the other pages and MySQL. Code examples. 2
SSL and user controls 5
SSL and postback 1
using SSL with ASP.net 2.0 7
Sharing SSL 5
SSL beginner 3
SSL Question 6
HTTPS (SSL) 1

Members online

No members online now.
Total: 53 (members: 1, guests: 52)
Robots: 237

Forum statistics

Threads
473,983
Messages
2,570,187
Members
46,747
Latest member
jojoBizaroo

Latest Threads

Top