using HTTPS for a login page

[Stimp]

I have a login page on a Windows IIS server: login.aspx

I'd like to enable the user to optionally use HTTPS to login
so that their password would not be easily snooped out.

What does this involve exactly?
I know that you use a https prefix instead of http, but that's it.

Is there configuration of directories necessary?
Got a good website for this basic info on https?

Also, I'll issue the user with a cookie (not persistent) once they log
in. It will be a session cookie created using the user name and
MachineKey alone... if this cookie were intercepted would an attacker be
able to use this for a replay attack? i.e. would I need to use https for
every page on the site where you need to be logged in to access or just
the login page? I know that Yahoo mail only uses https on the login page

Cheers!

 

[rf]

I have a login page on a Windows IIS server: login.aspx

I'd like to enable the user to optionally use HTTPS to login
so that their password would not be easily snooped out.

Optionally?

Hmmm.

A user who does not know what HTTPS means (most of them) would be unlikely
to worry about choosing one way or the other.

A user who does know what HTTPS means would *expect* you to use this and a
few other things as well to make things secure. [1].

If you need to ask this question here then IMHO you really need to rethink
your entire security setup Or is this just for a blog?

[1] One of the institutions I deal with uses HTTPS etc but if I forget my
password I can get it back, online, using two peices of information: 1) My
account number and 2) my date of birth. Now, if somebody finds out my
account number (a very loosely guarded secret) they can surely find out my
DOB, which is after all in the public domain at the registry of births
deaths and marriages. I no longer deal with that institution online.

 

[rf]

I have a login page on a Windows IIS server: login.aspx

Ah, another bloody idiot who has set followups to something other than the
many disparate newsgroups mentioned in the original post.

Do you know that people in those other newsgroups (like alt.html) will not
see any of the posts made by other people from those groups? They will
assume nobody has answered the question and thus will waste their time
anwering again.

 

[Stimp]

A user who does not know what HTTPS means (most of them) would be unlikely
to worry about choosing one way or the other.

Take a look at Yahoo Mail.. it allows the user to select 'Standard' or
'Secure' login.. obviously they will know that a 'Secure' login will
make their password 'more hidden' from surprise attacks

You should probably give people more credit

account number (a very loosely guarded secret) they can surely find out my
DOB, which is after all in the public domain at the registry of births
deaths and marriages. I no longer deal with that institution online.

The rest of your post has no useful information whatsoever.. what a
waste of your time

 

[Mark Rae]

Ah, another bloody idiot who has set followups to something other than the
many disparate newsgroups mentioned in the original post.

Do you know that people in those other newsgroups (like alt.html) will not
see any of the posts made by other people from those groups? They will
assume nobody has answered the question and thus will waste their time
anwering again.

If the OP hadn't cross-posted in the first place...

 

[David Jessee]

Poor thing. Sounds like someone wasn't picked for the kickball team in
kindergarden and is still bitter. Lighten up, dude.

 

[Stimp]

Ah, another bloody idiot who has set followups to something other than the
many disparate newsgroups mentioned in the original post.

"USENET troll in obnoxious posting shocker!"

 

[PL]

What does this involve exactly?

I know that you use a https prefix instead of http, but that's it.

Buing a certificate for your domain and installing in into IIS.

If it's an "intranet" type of application you can download the
IIS Resourcekit Tools and generate one to use, but you'll
never get past the warnings.

PL.