SSL Question

[Joe Fallon]

I use Forms authentication to ensure that users login prior to accessing any
protected forms.
Works fine.

When they get redirected to the logon page I would like to know if an SSL
session could be established just for that page so their credentials are
sent over an encrypted channel.

I can set the whole site to use SSL. What I want to know is:
Can I set the site to not use SSL except for the logon page?

Thanks.

 

[WJ]

No. Because when you define your SSL certificate, it is meant for the entire
site (either port 443). I do not think there is a way around.

John

 

[Guest]

You can mix and match http and https as a means to access the same pages any
way you want, but you have to be really careful about this. This can create
security holes. For instance, a hacker can wait for somebody to authenticate
and when the user switches to a non-protected page, using network sniffer
steal his session cookie. Knowing the value of this cookie the hacker will be
able to connect to the existing session impersonating the authenticated user
and circumventing your authentication.

 

[WJ]

You can mix and match http and https as a means to access the same pages
any
way you want, but you have to be really careful about this. This can
create
security holes. For instance, a hacker can wait for somebody to
authenticate
and when the user switches to a non-protected page, using network sniffer
steal his session cookie. Knowing the value of this cookie the hacker will
be
able to connect to the existing session impersonating the authenticated
user
and circumventing your authentication.

How can you, after being successfully authenticated by the SSL site (Logon
page protected by SSL), being redirected to a non-SSL page and expect the
non-SSL page to understand the encrypted session or how can you pass the
authenticated package to a non-SSL page.

Example: From a https://mysite1.com/Login.Aspx, calls
http://mysite2.com/somePage.aspx. In this "somePage.aspx.OnPage_Load event",
how the "if(this.IsAuthenticated)" instruction work ? How does it know that
your user has been authenticated successfully from the 1st login site ? How
can the 2nd site decrypt the SSL/encrypted package sent in the 1st site if
it is possible ?

Thanks,

John

 

[Guest]

You are right in the scenario you presented it is not possible, but this is
not the scenrio I was talking about.

Think of a site with a login page https://mysite1.com/Login.Aspx which after
login redirects to http://mysite1.com/SomeOther.aspx. The http response to
the second request will not be encrypted and will have the cookie with the
sessionID. If somebody would install a sniffer and intercept and parse this
request on its way from the web server to the web browser, he will be able to
figure out it all. And knowing the cookie, he will be able to connect to the
existing session on the server. Where he will be able to go from there all
depends on the design of the application, but the authentication is breached.

 

[Guest]

Keep in mind that ssl is a transport level encryption. ASP .net never sees
the encrypted state. An encrypted ssl request and an unecrypted non-ssl
request look exactly the same to asp .net. Also, I've seen sites that have
the login page use ssl and then submit to a non-ssl page for processing.
This means that the password and user name are sent in an unencrypted
fashion. HTH, Scott

 

[WJ]

Thanks all for clarification. I am still not convinced fully, I am testing
yours to see if this is possible.

John