Re: How to use SSL for login page only
- From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 6 Mar 2008 09:56:56 -0600
Setting requireSSL to True in the web.config for the forms authentication
section will take care of the Secure flag. I'd check out the additional
MSDN docs and articles on Forms auth to get more details. Here is one
starting place:
http://msdn2.microsoft.com/en-us/library/1d3t3c61.aspx
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Cory J. Laidlaw, Beyond01.com"
<CoryJLaidlawBeyond01com@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:83DD9E6C-1081-42C9-A151-AA3CC7A1D9B1@xxxxxxxxxxxxxxxx
hey Joe,
Thanks for the advice. Do you know where I might see an example of how to
set this tag?
Thanks!
Cory
"Joe Kaplan" wrote:
That may be ok too, as long as EVERY request to the server that needs to
be
secure goes though SSL. If you just secure the login page, that likely
isn't enough. If you see a site doing that, I would not use it. I
especially would not give them your credit card. :)
You can partition your site into secure and unsecure areas. You can also
set flags on your forms auth cookie to tell the browser to only send it
on
an SSL connection (called the "Secure" flag). That is an important
detail
to remember. I'd also set the HttpOnly flag on the cookie while you are
at
it, as that helps prevent against a variety of cross site scripting
attacks.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Cory J. Laidlaw, Beyond01.com"
<CoryJLaidlawBeyond01com@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:461D1794-3DD5-4122-8DD5-CBC36E1D15D5@xxxxxxxxxxxxxxxx
Joe,
thanks for responding. I see your point.
I just notice that several websites only employ SSL at certain periods,
say
when providing credit card information. Once completed, they turn SSL
off
again.
Cory
"Joe Kaplan" wrote:
Why would you put only the login page under SSL? What makes you think
that
provides any security? Sure, you can encrypt the connection when the
user
is providing their plaintext password, but if someone snoops on a
different
request that isn't encrypted and steals the user's cookie (just as
easy
as
stealing the pwd from the form post), they own the user just the same.
It
begs the question as to why bothering with SSL at all.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Cory J. Laidlaw, Beyond01.com"
<CoryJLaidlawBeyond01com@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:D2CD56D2-634F-4BAF-BB82-9A565C7A1C90@xxxxxxxxxxxxxxxx
Hi there,
I need to setup a web site that starts with a public home page.
I would then like to have a link to a login page so I can
authenticate
them
against a database.
When I launch my project, it starts under HTTP, which is great. How
can
I
make sure the Login page is under HTTPS?
Thanks for any help you can provide!
Cory
.
- Follow-Ups:
- Re: How to use SSL for login page only
- From: Cory J. Laidlaw, Beyond01.com
- Re: How to use SSL for login page only
- References:
- Re: How to use SSL for login page only
- From: Joe Kaplan
- Re: How to use SSL for login page only
- From: Cory J. Laidlaw, Beyond01.com
- Re: How to use SSL for login page only
- From: Joe Kaplan
- Re: How to use SSL for login page only
- From: Cory J. Laidlaw, Beyond01.com
- Re: How to use SSL for login page only
- Prev by Date: Re: How to use SSL for login page only
- Next by Date: Re: How to use SSL for login page only
- Previous by thread: Re: How to use SSL for login page only
- Next by thread: Re: How to use SSL for login page only
- Index(es):
Relevant Pages
|
|
