Re: A single page from an existing application under SSL?
From: Mike Owen (MikeOwen_at_discussions.microsoft.com)
Date: Fri, 18 Mar 2005 11:07:04 -0800
Thanks for this Nicole.
Is it the case then that I could have set the web site up to be both secure
and non secure at the same time, and that when this has been done users could
go from the non secure to secure still using the same session state?
Correct me if I am wrong, but would the above would mean that some of the
pages would be accessed via:
and I could switch between the 2 as long as I used literal urls, even if the
user is logged in?
Using the same site for both seems like a good idea, if you think it will
work, but I am not sure that the transfer of all requests from the unsecure
to secure would work too well, as the site is regulalry indexed by search
engines and we would not want to jeopardise this.
I wait with bated breath for your answers on the above.
"Nicole Calinoiu" wrote:
> If you're using forms authentication over HTTP, you've probably got a bigger
> problem than how to handle the credit card submission since the
> authentication ticket cookie is being transmitted in the clear. Any
> information protected by the login is therefore available to anyone who can
> steal the cookie. Your overall configuration would be far more secure if
> it were to use HTTPS as of the login (and only transmit the authentication
> cookie over HTTPS). Since credit card submission would take place after
> login, it too would be covered.
> Also, use of two parallel sites is likely to cause some headaches you could
> probably do without (e.g.: no shared session state). Things will be quite a
> bit easier if you use a single site. Of course, if you've already purchased
> a certificate for the "secure" version of the site address, you probably
> won't want to switch over to using the "shop" version. If the "shop"
> version is already in use, then eliminating it isn't much of an option
> either. Your best bet might be to set up the "shop" site to simply redirect
> to the "secure" site so that folks entering the site using a "shop" URL will
> be automatically transfered to the actual site hosted under the "secure"
> Within the "secure" site, you could allow access via HTTP until the login
> page is hit. However, the login page, and all pages used after login,
> should be accessed over HTTPS only. This will work automatically if you use
> relative URLs everywhere but in the links to the login page. For pages in
> which sensitive information (e.g.: the credit card number) is transmitted,
> it might be a good idea to enforce HTTPS use via IIS. In addition, your
> web.config file should specify that the forms authentication cookie only be
> transmitted over HTTPS (use the requireSSL attribute for the forms
> authentication element as described at
> "Mike Owen" <MikeOwen@discussions.microsoft.com> wrote in message
> >I have developed an application which all works fine, and runs under a
> > non secure connection, e.g. http://shop.domainname.co.uk .
> > I now want to run just a single page, that already exists in the
> > application, that asks user to enter credit card information, in a secure
> > environment using SSL.
> > I have set up a seperate site and secured it with a certificate.
> > The main site is called shop.domainname.co.uk
> > , and
> > the secure site is called secure.domainname.co.uk
> > Users currently have to log in to shop.domainname.co.uk using forms
> > authentication, to get to get to the point where they enter credit card
> > information.
> > Is it possible without writing a load of new code, to just run the credit
> > card entry page under the secure connection?, and if so how?
> > Thanks, Mike.