Pros and cons for using https on a logon page?

R

Randall Parker

1) What sorts of scenarios make the possibility of sniffing out a password a higher risk?

2) Do packets travel unencrypted over 802.11 wireless? Is it easy to sniff such
packets and catch a submit of a logon web page using http? Wireless strikes me as the
greatest risk.

3) Have you used http or https for Logon.aspx pages and why?

4) Anyone know if IIS on Windows Server 2003 has https built in? Easy or hard to
configure?

5) If one uses https does one have to do any different code in the CodeBehind for the
web page? Or is that all handled in the IIS configuration and Web.config?

6) How does one redirect from an https logon back to the http page the user logged in
on? Does the http part show up in the RETURNURL argument?
 
N

neilmcguigan

Hi Randall,

I'd recommend reading this article regarding switching betweeen HTTP
and HTTPS automatically:

http://www.codeproject.com/aspnet/WebPageSecurity_v2.asp

You can install the free SelfSSL as part of the IIS resource kit. Users
will get a warning that your certificate is not trusted, but the
connection will be encrypted:

http://www.microsoft.com/downloads/...ee-a71a-4c73-b628-ade629c89499&displaylang=en

RapidSSL has pretty cheap trusted SSL certificates:

http://www.rapidssl.com/ssl-certificate-products/rapidssl/ssl-certificate-rapidssl.htm

Regarding your questions:

1. if someone can see a packet going to your server, they can see the
password if not using SSL.

2. if using encrypted wireless, then no. But the leg of the trip that
does not go over encrypted wireless will not be encrypted.

3. yes. to increase user trust, and to prevent packet sniffing

4. IIS supports SSL, but you need an SSL certificate.

5. you won't need to change any code. you can enforce SSL using IIS

6. see the first link

Cheers

Neil
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

I want to have a button in a web page with action for open new phone contact page and fill it with some date 1
How do I set the default content page) on a Classic ASP file? 0
Pros and Cons of Ruby vs JRuby for GUI 10
ASP.Net 2.0: Pros and cons of putting connection string in a DLL 10
using HTTPS for a login page 7
Help with code 0
URL-Rewriting, referer and https 3
Sign in using https becomes anonymous for pages using http 0

Members online

Total: 78 (members: 2, guests: 76)
Robots: 496

Forum statistics

Threads
473,995
Messages
2,570,230
Members
46,817
Latest member
DicWeils

Latest Threads

Top