Re: How to use SSL for login page only

That may be ok too, as long as EVERY request to the server that needs to be
secure goes though SSL. If you just secure the login page, that likely
isn't enough. If you see a site doing that, I would not use it. I
especially would not give them your credit card. :)

You can partition your site into secure and unsecure areas. You can also
set flags on your forms auth cookie to tell the browser to only send it on
an SSL connection (called the "Secure" flag). That is an important detail
to remember. I'd also set the HttpOnly flag on the cookie while you are at
it, as that helps prevent against a variety of cross site scripting attacks.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Cory J. Laidlaw, Beyond01.com"
<CoryJLaidlawBeyond01com@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:461D1794-3DD5-4122-8DD5-CBC36E1D15D5@xxxxxxxxxxxxxxxx
Joe,

thanks for responding. I see your point.

I just notice that several websites only employ SSL at certain periods,
say
when providing credit card information. Once completed, they turn SSL off
again.

Cory

"Joe Kaplan" wrote:

Why would you put only the login page under SSL? What makes you think
that
provides any security? Sure, you can encrypt the connection when the
user
is providing their plaintext password, but if someone snoops on a
different
request that isn't encrypted and steals the user's cookie (just as easy
as
stealing the pwd from the form post), they own the user just the same.
It
begs the question as to why bothering with SSL at all.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Cory J. Laidlaw, Beyond01.com"
<CoryJLaidlawBeyond01com@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:D2CD56D2-634F-4BAF-BB82-9A565C7A1C90@xxxxxxxxxxxxxxxx
Hi there,

I need to setup a web site that starts with a public home page.

I would then like to have a link to a login page so I can authenticate
them
against a database.

When I launch my project, it starts under HTTP, which is great. How can
I
make sure the Login page is under HTTPS?

Thanks for any help you can provide!

Cory





.

Relevant Pages

  • Re: Ace Password Sniffer : How does it work ?
    ... >> Another protocol that offers same is IPSec. ... >> authentication and secure transfer of data between server and client ... >> would be pretty hard to use SSL to secure data exchanged between ... Once you are done with the secured login, ...
    (microsoft.public.security)
  • Re: SSL php code
    ... > Sean I am planning on exclusievely using secure pages (ssl) after the user requests to login. ... This will securely redirect to a login ...
    (comp.lang.php)
  • RE: Strange behavior using SSL and "FORMS" authentication.
    ... otherwise you would not even get the login page ... (as I assume you have SSL for the whole site, ... Help Secure Forms Authentication by Using Secure ... >-The security certificate is valid. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: From http:// to https://
    ... > I have a login page that is secured with SSL and other non secure pages ... As Server.Transefer or response.redirect takes http by default. ... > standard method to transefer pages from normal to SSL page and vice versa. ...
    (microsoft.public.dotnet.framework.aspnet)
  • RE: Certificate prblems with exchange public folders
    ... c103b404 during accessing Public Folders in Exchange System Manager. ... SSL certificate server name is incorrect" with error code c103b404 stemmed ... Click to clear the Require secure channel check box. ... 8.Restart Exchange System Attendant Service and then restart ...
    (microsoft.public.windows.server.sbs)