SSL and user controls

[jacques.m.steward]

I want to minimize the amount of SSL traffic on my page so, can I Have
SSL for the Login User Control and Not the rest of the page? How do I
tell if the Login is secure?

 

[Marina Levit [MVP]]

Think of the user control as a button. You wouldn't expect a button to be
SSL all on its own, right? After all, it is just an <input> tag. And your
user control also ends up being a bunch of tags and javascript on your page
as if you had placed all those things on your page manually.

 

[jacques.m.steward]

So whats the best solution? A redirect to an SSL page and a redirect
back after authentication?

 

[Hans Kesting]

So whats the best solution? A redirect to an SSL page and a redirect

back after authentication?

There are probably ways around it, using for example a database as
intermediate store, but it's not "simple".
The browser handles "http://www.yoursite.com" and
"https://www.yoursite.com" as two separate sites. This means that the
session-cookie of one is *not* transfered to the other. As a result
those two parts can't share sessions.

A suggestion:
- login at the https part
- store that fact in the database, under a newly generated guid plus
expiry date
- redirect to the http part, using that guid as parameter
- read the credentials stored under the guid, test if it is not
expired.
- store the credentials in the local session and remove the db-record

Hans Kesting

 

[George Ter-Saakov]

You are a bit wrong here.
Browsers are "smart" enough to know that http and https same sites. So
cookies and Session stays the same for http and https.


Otherwise you will never be able to login anywere

George.

 

[George Ter-Saakov]

The way we do it is to do login with https and then redirect to not https
version of the site.

George.