473,847 Members | 1,845 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

How to Use SSL only for Login.aspx page

Hi,

I have a scenario where i need to configure only Login.aspx page to use
SSL. All other application will run on HTTP protocol. If someone can
guide me how to accomplish this. One of my idea is to keep login.aspx
page in a seperate Virtual director and apply SSL only on that
directory but i dont know if it will have an impact on session (may be
it will create two sessions due to two different virtual directories).
If some one can guide me what is best practice to accomplish it.

Regards,

BizWorld

May 24 '06 #1
6 4700
Just guide people to your HTTPS://www.YourWebsite.com/Login.aspx. Once you
have authenticated the user then redirect them to
HTTP//www.YourWebsite .com/Whereever.aspx this should work. The code to
redirect is

response.Redire ct( HTTP//www.YourWebsite .com/Whereever.aspx ).

What I don't understand is way you are having them log in but then send them
to an unsecured site. Unless you are using session to validate login.

good luck

Momo

"BizWorld" <mo**********@g mail.com> wrote in message
news:11******** **************@ 38g2000cwa.goog legroups.com...
Hi,

I have a scenario where i need to configure only Login.aspx page to use
SSL. All other application will run on HTTP protocol. If someone can
guide me how to accomplish this. One of my idea is to keep login.aspx
page in a seperate Virtual director and apply SSL only on that
directory but i dont know if it will have an impact on session (may be
it will create two sessions due to two different virtual directories).
If some one can guide me what is best practice to accomplish it.

Regards,

BizWorld

May 25 '06 #2
Hi, momo

I'm trying to do exact the same thing, but if I used response.redire ct
method, the session value got lost, such that
HTTP//www.YourWebsite .com/Whereever.aspx will not be able to let the
authorized user to access it

Is it possible to bring the session variable across from https to http? or
any suggestion to resolve this issue?

Keith
"momo" <ma***@seeourwe b.com> wrote in message
news:eS******** ******@TK2MSFTN GP05.phx.gbl...
Just guide people to your HTTPS://www.YourWebsite.com/Login.aspx. Once you
have authenticated the user then redirect them to
HTTP//www.YourWebsite .com/Whereever.aspx this should work. The code to
redirect is

response.Redire ct( HTTP//www.YourWebsite .com/Whereever.aspx ).

What I don't understand is way you are having them log in but then send
them to an unsecured site. Unless you are using session to validate login.

good luck

Momo

"BizWorld" <mo**********@g mail.com> wrote in message
news:11******** **************@ 38g2000cwa.goog legroups.com...
Hi,

I have a scenario where i need to configure only Login.aspx page to use
SSL. All other application will run on HTTP protocol. If someone can
guide me how to accomplish this. One of my idea is to keep login.aspx
page in a seperate Virtual director and apply SSL only on that
directory but i dont know if it will have an impact on session (may be
it will create two sessions due to two different virtual directories).
If some one can guide me what is best practice to accomplish it.

Regards,

BizWorld


May 25 '06 #3
Hello Keith,

I would suggest passing the session to a hidden textbox and then retrieve it
from the unsecured page. This way no one can see the session value. It will
take two steps to do this.

When your login page authenticates a user you have to take them to another
secure page or you could use the same one. But in the page you will have a
form with a hidden textbox and a button that ask the user to click to
proceed, this button will then redirect then to the unsecure page. Then on
the unsecured page retrieve the hidden textbox value and put it into a
session and off you go.

Good luck

Momo

"Rabbit" <a@a.com> wrote in message
news:%2******** *********@TK2MS FTNGP05.phx.gbl ...
Hi, momo

I'm trying to do exact the same thing, but if I used response.redire ct
method, the session value got lost, such that
HTTP//www.YourWebsite .com/Whereever.aspx will not be able to let the
authorized user to access it

Is it possible to bring the session variable across from https to http? or
any suggestion to resolve this issue?

Keith
"momo" <ma***@seeourwe b.com> wrote in message
news:eS******** ******@TK2MSFTN GP05.phx.gbl...
Just guide people to your HTTPS://www.YourWebsite.com/Login.aspx. Once
you have authenticated the user then redirect them to
HTTP//www.YourWebsite .com/Whereever.aspx this should work. The code to
redirect is

response.Redire ct( HTTP//www.YourWebsite .com/Whereever.aspx ).

What I don't understand is way you are having them log in but then send
them to an unsecured site. Unless you are using session to validate
login.

good luck

Momo

"BizWorld" <mo**********@g mail.com> wrote in message
news:11******** **************@ 38g2000cwa.goog legroups.com...
Hi,

I have a scenario where i need to configure only Login.aspx page to use
SSL. All other application will run on HTTP protocol. If someone can
guide me how to accomplish this. One of my idea is to keep login.aspx
page in a seperate Virtual director and apply SSL only on that
directory but i dont know if it will have an impact on session (may be
it will create two sessions due to two different virtual directories).
If some one can guide me what is best practice to accomplish it.

Regards,

BizWorld



May 25 '06 #4
Hi, momo,

yeap, got it, will try it out! thanks very much!

Keith
"momo" <ma***@seeourwe b.com> wrote in message
news:%2******** ********@TK2MSF TNGP04.phx.gbl. ..
Hello Keith,

I would suggest passing the session to a hidden textbox and then retrieve
it from the unsecured page. This way no one can see the session value. It
will take two steps to do this.

When your login page authenticates a user you have to take them to another
secure page or you could use the same one. But in the page you will have a
form with a hidden textbox and a button that ask the user to click to
proceed, this button will then redirect then to the unsecure page. Then on
the unsecured page retrieve the hidden textbox value and put it into a
session and off you go.

Good luck

Momo

"Rabbit" <a@a.com> wrote in message
news:%2******** *********@TK2MS FTNGP05.phx.gbl ...
Hi, momo

I'm trying to do exact the same thing, but if I used response.redire ct
method, the session value got lost, such that
HTTP//www.YourWebsite .com/Whereever.aspx will not be able to let the
authorized user to access it

Is it possible to bring the session variable across from https to http?
or any suggestion to resolve this issue?

Keith
"momo" <ma***@seeourwe b.com> wrote in message
news:eS******** ******@TK2MSFTN GP05.phx.gbl...
Just guide people to your HTTPS://www.YourWebsite.com/Login.aspx. Once
you have authenticated the user then redirect them to
HTTP//www.YourWebsite .com/Whereever.aspx this should work. The code to
redirect is

response.Redire ct( HTTP//www.YourWebsite .com/Whereever.aspx ).

What I don't understand is way you are having them log in but then send
them to an unsecured site. Unless you are using session to validate
login.

good luck

Momo

"BizWorld" <mo**********@g mail.com> wrote in message
news:11******** **************@ 38g2000cwa.goog legroups.com...
Hi,

I have a scenario where i need to configure only Login.aspx page to use
SSL. All other application will run on HTTP protocol. If someone can
guide me how to accomplish this. One of my idea is to keep login.aspx
page in a seperate Virtual director and apply SSL only on that
directory but i dont know if it will have an impact on session (may be
it will create two sessions due to two different virtual directories).
If some one can guide me what is best practice to accomplish it.

Regards,

BizWorld



May 26 '06 #5
Hi, momo

I'm sorry to bother you again, I have tried different ways to get the value
of the source page(such as request.form("h iddenLogin")), I still cannot
retrieve the hidden textbox value from the secure page, in fact seems to me
using redirect method will lost values of all controls. As I can use
querystring to passed the authenticated info. Can you tell me how can you
implement this?

Thanks in advance!
Keith
"momo" <ma***@seeourwe b.com> wrote in message
news:%2******** ********@TK2MSF TNGP04.phx.gbl. ..
Hello Keith,

I would suggest passing the session to a hidden textbox and then retrieve
it from the unsecured page. This way no one can see the session value. It
will take two steps to do this.

When your login page authenticates a user you have to take them to another
secure page or you could use the same one. But in the page you will have a
form with a hidden textbox and a button that ask the user to click to
proceed, this button will then redirect then to the unsecure page. Then on
the unsecured page retrieve the hidden textbox value and put it into a
session and off you go.

Good luck

Momo

"Rabbit" <a@a.com> wrote in message
news:%2******** *********@TK2MS FTNGP05.phx.gbl ...
Hi, momo

I'm trying to do exact the same thing, but if I used response.redire ct
method, the session value got lost, such that
HTTP//www.YourWebsite .com/Whereever.aspx will not be able to let the
authorized user to access it

Is it possible to bring the session variable across from https to http?
or any suggestion to resolve this issue?

Keith
"momo" <ma***@seeourwe b.com> wrote in message
news:eS******** ******@TK2MSFTN GP05.phx.gbl...
Just guide people to your HTTPS://www.YourWebsite.com/Login.aspx. Once
you have authenticated the user then redirect them to
HTTP//www.YourWebsite .com/Whereever.aspx this should work. The code to
redirect is

response.Redire ct( HTTP//www.YourWebsite .com/Whereever.aspx ).

What I don't understand is way you are having them log in but then send
them to an unsecured site. Unless you are using session to validate
login.

good luck

Momo

"BizWorld" <mo**********@g mail.com> wrote in message
news:11******** **************@ 38g2000cwa.goog legroups.com...
Hi,

I have a scenario where i need to configure only Login.aspx page to use
SSL. All other application will run on HTTP protocol. If someone can
guide me how to accomplish this. One of my idea is to keep login.aspx
page in a seperate Virtual director and apply SSL only on that
directory but i dont know if it will have an impact on session (may be
it will create two sessions due to two different virtual directories).
If some one can guide me what is best practice to accomplish it.

Regards,

BizWorld



May 26 '06 #6
Rabbit,

I would not recommend passing the session info in your URL because that
would defeat the purpose of logging in. All someone would need to know is
the link and they can bypass the login page. As for why it does not work I
don't know. But I found something that might help. Try it and if it work
reply back to me and them to the post.

Here you go.

############### ############### #############
a.. A52: At first, you should know, that if you share an unsecured session
with a secure session, you void the security of the https session, since a
network sniffer, could retrieve the cookie and use identity theft on the
https session!
However, we have made ISP Session as safe as possible for you
The steps to follow to share a session and to fix the security hole you
create by sharing a http session with https.

a.. In global.asa set Application("Co okieNoSSL") = True.
b.. Just before you redirect to https set Session.ReEntra nce = True, this
allows a browser to continue a session while the hostname or even the
complete URL changes.
c.. At the redirected page, you disable ReEntrance again by
Session.ReEntra nce = False. If you go back to http, you should repeat the
same trick.
d.. To fix the security hole of sharing secure between unsecure (and vice
versa) you should set Session.LiquidC ookie = True in Session_OnStart .
Note that you should thoroughly test your site after setting this option.
LiquidCookies causes a session key to be valid for just one page request,
after that request, a new key is automatically generated and established
with your browser! So if a browser misses just one request, the session is
lost.
############### ############### ###########
Good luck.

Momo.

"Rabbit" <a@a.com> wrote in message
news:eM******** ******@TK2MSFTN GP03.phx.gbl...
Hi, momo

I'm sorry to bother you again, I have tried different ways to get the
value of the source page(such as request.form("h iddenLogin")), I still
cannot retrieve the hidden textbox value from the secure page, in fact
seems to me using redirect method will lost values of all controls. As I
can use querystring to passed the authenticated info. Can you tell me how
can you implement this?

Thanks in advance!
Keith
"momo" <ma***@seeourwe b.com> wrote in message
news:%2******** ********@TK2MSF TNGP04.phx.gbl. ..
Hello Keith,

I would suggest passing the session to a hidden textbox and then retrieve
it from the unsecured page. This way no one can see the session value. It
will take two steps to do this.

When your login page authenticates a user you have to take them to
another secure page or you could use the same one. But in the page you
will have a form with a hidden textbox and a button that ask the user to
click to proceed, this button will then redirect then to the unsecure
page. Then on the unsecured page retrieve the hidden textbox value and
put it into a session and off you go.

Good luck

Momo

"Rabbit" <a@a.com> wrote in message
news:%2******** *********@TK2MS FTNGP05.phx.gbl ...
Hi, momo

I'm trying to do exact the same thing, but if I used response.redire ct
method, the session value got lost, such that
HTTP//www.YourWebsite .com/Whereever.aspx will not be able to let the
authorized user to access it

Is it possible to bring the session variable across from https to http?
or any suggestion to resolve this issue?

Keith
"momo" <ma***@seeourwe b.com> wrote in message
news:eS******** ******@TK2MSFTN GP05.phx.gbl...
Just guide people to your HTTPS://www.YourWebsite.com/Login.aspx. Once
you have authenticated the user then redirect them to
HTTP//www.YourWebsite .com/Whereever.aspx this should work. The code to
redirect is

response.Redire ct( HTTP//www.YourWebsite .com/Whereever.aspx ).

What I don't understand is way you are having them log in but then send
them to an unsecured site. Unless you are using session to validate
login.

good luck

Momo

"BizWorld" <mo**********@g mail.com> wrote in message
news:11******** **************@ 38g2000cwa.goog legroups.com...
> Hi,
>
> I have a scenario where i need to configure only Login.aspx page to
> use
> SSL. All other application will run on HTTP protocol. If someone can
> guide me how to accomplish this. One of my idea is to keep login.aspx
> page in a seperate Virtual director and apply SSL only on that
> directory but i dont know if it will have an impact on session (may be
> it will create two sessions due to two different virtual directories).
> If some one can guide me what is best practice to accomplish it.
>
> Regards,
>
> BizWorld
>



May 26 '06 #7

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

1
2215
by: Paul | last post by:
Title: What are the Consequences of Aspx page separate from app DLL Hi JL; I am working on a big asp.net application. When we migrate the dll (or dlls) to the production server, all users who are login into the application are pumped off. In fact we must close down the server (to preserve users from being logged on and thinking they are updating data when it is in fact lost when we move the dlls to the the applications bin directory)....
2
5363
by: Murphy | last post by:
Our website contains subdirectories for each subsidiary company, each company has it's own look and feel to the pages in their subdirectory although they are all part of the main website. The code below in the Web.Config file defines the authentication as forms and the aspx file required for login if the user is unauthenticated... this works well for the root level company web pages however when a user viewing the website of SubCompanyA...
1
4217
by: frekster | last post by:
All, Windows xp pro box with vs 2003 and .net 1.1 installed. Downloaded a project from source safe via vpn to my ome pc to work from home. I have three other projects on my pc that works fine with the vpn. This one, however, is being a bugger. Every time I start it, I get a 404 error stating login.aspx is not found. However, there is no login.aspx file in the entire project *nor* should there ever be. The project is using forms...
1
2054
by: frolda | last post by:
Hi, I moved my login.aspx page from root to a subdirectory and made -hopefully- all necessary changes for all Login controls. All the controls work just fine, except one. To my regret, the LoginStatus control still uses the old, root-located login.aspx intead of subdir/login.aspx. What's interesting is that for logout it works perfectly (path to subdir/logout.aspx is recognized OK). Could anyone write me please, where does the...
0
999
by: PolarBears | last post by:
We have several ASPX 1.1 web applications that reference a Login.aspx page. Now groups and roles have been added to .NET 2.0. And we now have the new Visual Studio 2005. I am guessing that with the differences between the two ..NET versions that a 2.0 web app cannot reference a 1.1 Login.aspx page and vice versa. Right or wrong? Even if it could I think the new 2.0 web apps we would want to take advantage of roles and use a 2.0...
3
2270
by: Big Charles | last post by:
Hi, How to redirect any page to Login.aspx? I tried writting this in web.config <authentication mode="Forms"> <forms name="aucoockie" loginUrl="wf_login.aspx" protection="All" path="/" /> </authentication> <authorization>
2
2241
by: vikramp | last post by:
Hi, I am trying to learn new membership/roles features of ASP.NET 2.0. When we setup forms authentication and specify deny users="?" under authorization, the application asks for login. My problem is: It always looks for Login.aspx page by default. What if the name of my login page is different than Login.aspx? Where do I specify the name of my login page? thanks.
3
1489
by: Andy B | last post by:
How do you rename the login.aspx page and still make it work? and How would you determine what you should rename it to?
0
951
by: chet | last post by:
We have a number of existing asp.net applications where our clients now want to content manage the login page. The applications have not been developed with content management in mind and its really just the login.aspx page that they want to manage the content for. Is there a (simple) content management system that can be "retro- fitted" to manage the home pages of these applications? Thanks Chet
0
10645
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
1
10706
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
0
10331
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
0
9480
agi2029
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
1
7880
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
0
7053
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
0
5909
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
1
4523
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
3
3160
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.