Mixing SSL/non SSL pages

[tesis]

Hi all gurus;
forgive me if I'm writing about a basic question.
I need to call a secured (SSL) page from a .aspx page. Calling an
absolute URL rises an error (invalid path... Virtual path required), so
I'm not able to intermix http and https calls. Is there a way to make it
so? TIA

 

[Mark Rae [MVP]]

Hi all gurus;
forgive me if I'm writing about a basic question.
I need to call a secured (SSL) page from a .aspx page. Calling an
absolute URL rises an error (invalid path... Virtual path required), so
I'm not able to intermix http and https calls. Is there a way to make it
so? TIA

Please show your code.

 

[tesis]

LOT, Mark, 4 your rpy. Here's my (real) code:

Private Sub btnRinnCrCard_Click(ByVal sender As System.Object, ByVal
e As System.EventArgs) Handles btnRinnCrCard.Click
Session("IdSocieta") = lblIdSoc.Text
Session("Denominazione") = txtDenominazione.Text
Session("ImpRinnovo") = txtImpDovuto.Text
Session("CausaleVers") = "Riaffiliazione"
Session("CodCausale") = "2"
Dim temp As String = Session.SessionID
Dim path As String = Server.MapPath(".")
'it's unuseful to store ds in a Session variable, as it will be
lost switching to https, so it needs to be serialized; better to make it
so now
dsRiepilogo.WriteXml(path + "\" + temp + ".tmp")
Dim serverName As String =
HttpContext.Current.Server.MachineName
If serverName = "AMILO" Then
Server.Transfer("wfrmPagaCarta.aspx") 'development server
Else

Server.Transfer("https://www.fih-hockey.it/TessOnLine/wfrmPagaCarta.aspx
")
End If
End Sub

 

[Mark Rae [MVP]]

Server.Transfer("https://www.fih-hockey.it/TessOnLine/wfrmPagaCarta.aspx")

Is it not simply that the above URL is actually invalid...?

 

[tesis]

Hi Mark.
No, unfortunately, the link is valid. (BTW, the site actually listens on
ports 8080/5443, which at this moment are locked but for internal
addresses, so it's unreacheable but from IPs inside the firewall). The
error thrown AFAIK indicates that an absolute url can't be used, only a
virtual one can. Does it make sense? TIA

 

[tesis]

Hi Mark, a little clarification!
The code was:

If ServerName = "AMILO" then
Server.Transfer("http://localhost/TessHockey/wfrmPagaCarta.aspx")
else
Server.Transfer("https://www.fih-hockey.it/TessOnLine/wfrmPagaCarta.aspx
")
endif

and the error was thrown even walking the 1st part of the if statement,
so for developing I changed it in a relative path.

 

[Mark Rae [MVP]]

No, unfortunately, the link is valid. (BTW, the site actually listens on
ports 8080/5443, which at this moment are locked but for internal
addresses, so it's unreacheable but from IPs inside the firewall). The
error thrown AFAIK indicates that an absolute url can't be used, only a
virtual one can. Does it make sense? TIA

Apologies - completely missed that!

Yes, you're quite correct - Server.Transfer doesn't allow absolute paths,
only relative ones, because it considers a double slash (// or \\) as an
invalid character combination:
http://msdn2.microsoft.com/en-us/library/ms525800.aspx

So, you have three choices:

1) Make the entire site https (probably not a good idea if you only require
SSL on a small section of the site)

2) Use Response.Redirect instead of Server.Transfer (not ideal because of
session management issues)
http://www.google.co.uk/search?hl=e...r.Transfer+vs+response.redirect+session&meta=

3) Use this:
http://www.codeproject.com/aspnet/WebPageSecurity_v2.asp?select=1095511&df=100&forumid=53615&exp=0
It's a superb add-in for ASP.NET and, once you've configured it, you really
can just forget it.

 

[tesis]

I really appreciate your help, Mark.
It's a very interesting solution you quotes on your 3rd chance. I'm
going to try this approach. Thanks again.

 

[Mark Rae [MVP]]

It's a very interesting solution you quotes on your 3rd chance. I'm
going to try this approach.

I use it for all my sites and web apps which require SSL.

 

[Juan T. Llibre]

re:
!> the site actually listens on ports 8080/5443

If those are the ports which the site listens on, and :
https://www.fih-hockey.it/TessOnLine/wfrmPagaCarta.aspx
is the URL you redirect to, you're redirecting to port 80, not 8080.

I wonder if that could have something to do with your problem.

If you want to redirect to that URL, on port 8080, you should use :

https://www.fih-hockey.it:8080/TessOnLine/wfrmPagaCarta.aspx

 

[Juan T. Llibre]

And, of course, that assumes you're using 8080 as your SSL port.

If you're using 5443 as your SSL port, that URL would be :

https://www.fih-hockey.it:5443/TessOnLine/wfrmPagaCarta.aspx

 

[tesis]

Thank you, Juan, 4 your interest.
Of course you're quite right: I've to include ports in URL if not
addressing port 80 for http and 443 for https. I've just striped ports
from code snipplets for the sake of simplicity. The real code should
address the real ports. I guess I should write in web.config:
encrypedUri="www.mysite.com:5443" unencriptedUri="www.mysite.com:8080".
Have a nice day.

 

[tesis]

Hi Mark,
forgive me if I'm bothering you once more.
Since the real code should address the real ports, I guess I've 2 write
in web.config:

encrypedUri="www.mysite.com:5443" unencriptedUri="www.mysite.com:8080"

Am I correct? If not, how2 address non-standard ports?
At the moment, I'm configuring my development environment with version
2.6, since it's FW 1.1 (BTW, notices are 4 3.1, and this caused me some
headache), and addressing ports with encrypted/unencryptedUri is working
fine.
A curious side effect of this module is that having 2 bg pictures with
same name in unsecure dir and secure dir, pages are displayed 1st time
with "unsecure" bg, and then, only when secured, with "secure" bg;
actually, I'm going to use this effect for my advantage.
Have a nice day, and LOT again.

 

[tesis]

Hi gurus.
This approach behaves well in my dev enironment. While switched to
production, however, problems arise. Variable fields in the page are not
saved. Session variables are no more mantained between pages ('cause
SessionId changes) when security module switches between http and https,
nor context variables do. I've read a suggestion to use server.execute,
but this mixes page contents. Cache objects last too long, and
application's can't be used as it's system-wide, and many users can use
the same app at the same time. Cookies may be disabled on clients' side,
and since security module handles the request generating a second
request when switching contexts, even QueryString, I guess (this one are
not have tested), can't be used. What else can I do?