Re: A single page from an existing application under SSL?
From: Nicole Calinoiu (calinoiu)
Date: 03/17/05
- Previous message: Mike Owen: "A single page from an existing application under SSL?"
- In reply to: Mike Owen: "A single page from an existing application under SSL?"
- Next in thread: Mike Owen: "Re: A single page from an existing application under SSL?"
- Reply: Mike Owen: "Re: A single page from an existing application under SSL?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 17 Mar 2005 08:55:09 -0500
If you're using forms authentication over HTTP, you've probably got a bigger
problem than how to handle the credit card submission since the
authentication ticket cookie is being transmitted in the clear. Any
information protected by the login is therefore available to anyone who can
steal the cookie. Your overall configuration would be far more secure if
it were to use HTTPS as of the login (and only transmit the authentication
cookie over HTTPS). Since credit card submission would take place after
login, it too would be covered.
Also, use of two parallel sites is likely to cause some headaches you could
probably do without (e.g.: no shared session state). Things will be quite a
bit easier if you use a single site. Of course, if you've already purchased
a certificate for the "secure" version of the site address, you probably
won't want to switch over to using the "shop" version. If the "shop"
version is already in use, then eliminating it isn't much of an option
either. Your best bet might be to set up the "shop" site to simply redirect
to the "secure" site so that folks entering the site using a "shop" URL will
be automatically transfered to the actual site hosted under the "secure"
address.
Within the "secure" site, you could allow access via HTTP until the login
page is hit. However, the login page, and all pages used after login,
should be accessed over HTTPS only. This will work automatically if you use
relative URLs everywhere but in the links to the login page. For pages in
which sensitive information (e.g.: the credit card number) is transmitted,
it might be a good idea to enforce HTTPS use via IIS. In addition, your
web.config file should specify that the forms authentication cookie only be
transmitted over HTTPS (use the requireSSL attribute for the forms
authentication element as described at
http://msdn.microsoft.com/library/en-us/cpgenref/html/gngrfauthenticationsection.asp).
HTH,
Nicole
"Mike Owen" <MikeOwen@discussions.microsoft.com> wrote in message
news:2F1A340D-FCB8-4137-9B7A-148C68E32376@microsoft.com...
>I have developed an application which all works fine, and runs under a
>normal
> non secure connection, e.g. http://shop.domainname.co.uk .
>
> I now want to run just a single page, that already exists in the
> application, that asks user to enter credit card information, in a secure
> environment using SSL.
>
> I have set up a seperate site and secured it with a certificate.
>
> The main site is called shop.domainname.co.uk
> , and
> the secure site is called secure.domainname.co.uk
>
> Users currently have to log in to shop.domainname.co.uk using forms
> authentication, to get to get to the point where they enter credit card
> information.
>
> Is it possible without writing a load of new code, to just run the credit
> card entry page under the secure connection?, and if so how?
>
>
> Thanks, Mike.
- Previous message: Mike Owen: "A single page from an existing application under SSL?"
- In reply to: Mike Owen: "A single page from an existing application under SSL?"
- Next in thread: Mike Owen: "Re: A single page from an existing application under SSL?"
- Reply: Mike Owen: "Re: A single page from an existing application under SSL?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
