Re: Forms Authentication and SSL

From: Michael Tissington (michael_at_nospam.com)
Date: 10/22/03 

Date: Wed, 22 Oct 2003 08:24:50 -0700

Jacob,

Yes, it partly answers my question.

The other aspect of this is how do I use forms authentication with SSL

Consider the following

1) User views a non SSL page
2) Clicks on a link which requires forms authentication
3) Web.config points to a https page for the login information
4) Using SSL the login information is collected
5) How then does the redirection back to the refering page work?
is it SSL or the original protocol - can it be specified?

Basically we are are just wanting to collect the user information using SSL
and then return to the protocol that was using when the user clicked on the
link (which may or may not be https)

Thanks. 

-- 
Michael Tissington
http://www.tabtag.com
http://www.oaklodge.com
"Jacob Yang [MSFT]" <jiany@online.microsoft.com> wrote in message
news:TF$S48GmDHA.576@cpmsftngxa06.phx.gbl...
> Hi Michael,
>
> From security consideration, IE will prompt us this security alert either
> when we enter into a secure website from a non-secure one, or vice versa.
> To my knowledge, we cannot dismiss this alert, unless we check the "In the
> future, do not show this warning" checkbox.
>
> This security alert is very useful in the case if we want to send out our
> secret information, such as credit account number, password, over
internet.
> With this alert, we should be notified whether the web site we are
> communicating is a real secure or valid web site before sending out the
> secret information. Without this security alert, we have no sense whether
> the web site is secure.
>
> Does it answer your question? If I have misunderstood your concern, please
> feel free to let me know.
>
> Best regards,
>
> Jacob Yang
> Microsoft Online Partner Support
> Get Secure! ¨C www.microsoft.com/security
> This posting is provided "as is" with no warranties and confers no rights.
>

Relevant Pages

  • Re: SSL & Basic Authentication
    ... Basic over SSL directly fails all the points I listed, ... you want to have control of how authentication is ... you can control security from start to finish. ... "more" secure than no encryption. ...
    (microsoft.public.inetserver.iis.security)
  • Re: clients editing information w/o authentication--advice needed
    ... I completely concur that username/password authentication is the way to go. ... SSL, while the most secure, is not essential since there's no confidential ... I will "push back" with the client and tell them they'd be better off ...
    (comp.lang.php)
  • Re: SSL vs Windows Integrated Security
    ... ...the bottom line is that most everyone feel that forms auth and SSL ... are the best way to go on secured Internet App, ... as secure. ... Integrated Windows Authentication has the two common problems in ...
    (microsoft.public.inetserver.iis.security)
  • Re: [Full-disclosure] HTTP AUTH BASIC monowall.
    ... authentication that is secure even if the SSL pipe is compromised. ... Either your secondary tunnel corrects the issues with the initial tunnel ...
    (Full-Disclosure)
  • RE: RE: Telnet/SSL v SSH
    ... I suppose it depends on what you consider authentication. ... where the individual could have the correct certificate but not be the ... >I'm perplexed that you don't think SSL has authentication... ... it is very secure for that too. ...
    (Security-Basics)