How to imbed non-SSL links within SSL pages without using code

[CW]

I have pages, such as LogOn.aspx, Payment.aspx that enforces the use of SSL.

Every single one of my page embeds a header and menu server controls - which
have links to other pages that do not require SSL.

In the LogOn.aspx, it automatically detects in the page_load event (using
URL.Scheme property) whether SSL is running, and if not, redirect to itself
and replaces http by https in the url. This part runs fine.

However, all the other links on the logon page (including those on the menu
and header server controls) now have https rather than http as the URL
scheme. Is there anyway to get around it? The other pages do not require SSL
at all.

The method I have come up with is to turn all links into server controls,
and then modify its href property in Page_Load event. I think this adds way
too much unnecessary overhead. Is there any easier way of getting around it?

An alternative question is: if the whole site runs on SSL (i.e., I will not
stop turning SSL links into non-SSL links), is this going to cause any major
issues in terms of server load?

Another related question is whether SSL is necessary for LogOff.page. I use
FormsAuthentication (roll my own security).

A

 

[Guest]

However, all the other links on the logon page (including those on the menu
and header server controls) now have https rather than http as the URL
scheme. Is there anyway to get around it? The other pages do not require SSL
at all.

The way I do it, is to use absolute links everywhere, but without the protocol://hostname part. E.g. /home.aspx.

That means that I don't need to do any server-side processing of my navigation structure.

Once the person gets on to the SSL-version of the site, then they'll stay on SSL for any links that they follow, as all the links start with / . Whether this is a problem probably depends on the next question.

An alternative question is: if the whole site runs on SSL (i.e., I will not
stop turning SSL links into non-SSL links), is this going to cause any major
issues in terms of server load?

It has never been an issue for me, but obviously it depends on your site traffic and hardware. SSL requires more processor time for the encrypt / decrypt. You can buy dedicated hardware to do this also.

Another related question is whether SSL is necessary for LogOff.page. I use
FormsAuthentication (roll my own security).

Probably not, unless you give your users the option that their FormsAuth cookie is SSL only, in which case it'll only be set / removed while they are on the https:// server.

Kirk

 

[CW]

Thanks for the help

The way I do it, is to use absolute links everywhere, but without the

protocol://hostname part. E.g. /home.aspx.

That means that I don't need to do any server-side processing of my navigation structure.

Once the person gets on to the SSL-version of the site, then they'll stay

on SSL for any links that they follow, as all the links start with / .
Whether this is a problem probably depends on the next question.

It has never been an issue for me, but obviously it depends on your site

traffic and hardware. SSL requires more processor time for the encrypt /
decrypt. You can buy dedicated hardware to do this also.

Probably not, unless you give your users the option that their FormsAuth

cookie is SSL only, in which case it'll only be set / removed while they are
on the https:// server.