By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
431,991 Members | 1,737 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 431,991 IT Pros & Developers. It's quick & easy.

using HTTPS for a login page

P: n/a
I have a login page on a Windows IIS server: login.aspx

I'd like to enable the user to optionally use HTTPS to login
so that their password would not be easily snooped out.

What does this involve exactly?
I know that you use a https prefix instead of http, but that's it.

Is there configuration of directories necessary?
Got a good website for this basic info on https?

Also, I'll issue the user with a cookie (not persistent) once they log
in. It will be a session cookie created using the user name and
MachineKey alone... if this cookie were intercepted would an attacker be
able to use this for a replay attack? i.e. would I need to use https for
every page on the site where you need to be logged in to access or just
the login page? I know that Yahoo mail only uses https on the login page

Cheers!
--

"I hear ma train a comin'
.... hear freedom comin"
Nov 18 '05 #1
Share this Question
Share on Google+
7 Replies


P: n/a
rf
Stimp wrote:
I have a login page on a Windows IIS server: login.aspx

I'd like to enable the user to optionally use HTTPS to login
so that their password would not be easily snooped out.


Optionally?

Hmmm.

A user who does not know what HTTPS means (most of them) would be unlikely
to worry about choosing one way or the other.

A user who does know what HTTPS means would *expect* you to use this and a
few other things as well to make things secure. [1].

If you need to ask this question here then IMHO you really need to rethink
your entire security setup :-) Or is this just for a blog?

[1] One of the institutions I deal with uses HTTPS etc but if I forget my
password I can get it back, online, using two peices of information: 1) My
account number and 2) my date of birth. Now, if somebody finds out my
account number (a very loosely guarded secret) they can surely find out my
DOB, which is after all in the public domain at the registry of births
deaths and marriages. I no longer deal with that institution online.

--
Cheers
Richard.
Nov 18 '05 #2

P: n/a
rf
Stimp wrote:
I have a login page on a Windows IIS server: login.aspx


Ah, another bloody idiot who has set followups to something other than the
many disparate newsgroups mentioned in the original post.

Do you know that people in those other newsgroups (like alt.html) will not
see any of the posts made by other people from those groups? They will
assume nobody has answered the question and thus will waste their time
anwering again.

--
Cheers
Richard.
Nov 18 '05 #3

P: n/a
On Mon, 23 Aug 2004 rf <rf@.> wrote:
Stimp wrote:
I have a login page on a Windows IIS server: login.aspx

I'd like to enable the user to optionally use HTTPS to login
so that their password would not be easily snooped out.
A user who does not know what HTTPS means (most of them) would be unlikely
to worry about choosing one way or the other.


Take a look at Yahoo Mail.. it allows the user to select 'Standard' or
'Secure' login.. obviously they will know that a 'Secure' login will
make their password 'more hidden' from surprise attacks

You should probably give people more credit
account number (a very loosely guarded secret) they can surely find out my
DOB, which is after all in the public domain at the registry of births
deaths and marriages. I no longer deal with that institution online.


The rest of your post has no useful information whatsoever.. what a
waste of your time :)

--

"I hear ma train a comin'
.... hear freedom comin"
Nov 18 '05 #4

P: n/a
"rf" <rf@.invalid> wrote in message
news:V9****************@news-server.bigpond.net.au...
Ah, another bloody idiot who has set followups to something other than the
many disparate newsgroups mentioned in the original post.

Do you know that people in those other newsgroups (like alt.html) will not
see any of the posts made by other people from those groups? They will
assume nobody has answered the question and thus will waste their time
anwering again.


If the OP hadn't cross-posted in the first place...
Nov 18 '05 #5

P: n/a
Poor thing. Sounds like someone wasn't picked for the kickball team in
kindergarden and is still bitter. Lighten up, dude.

"rf" <rf@.invalid> wrote in message
news:V9****************@news-server.bigpond.net.au...
Stimp wrote:
I have a login page on a Windows IIS server: login.aspx


Ah, another bloody idiot who has set followups to something other than the
many disparate newsgroups mentioned in the original post.

Do you know that people in those other newsgroups (like alt.html) will not
see any of the posts made by other people from those groups? They will
assume nobody has answered the question and thus will waste their time
anwering again.

--
Cheers
Richard.

Nov 18 '05 #6

P: n/a
On Mon, 23 Aug 2004 rf <rf@.> wrote:

Ah, another bloody idiot who has set followups to something other than the
many disparate newsgroups mentioned in the original post.

"USENET troll in obnoxious posting shocker!"

--

"I hear ma train a comin'
.... hear freedom comin"
Nov 18 '05 #7

P: n/a
PL
> What does this involve exactly?
I know that you use a https prefix instead of http, but that's it.


Buing a certificate for your domain and installing in into IIS.

If it's an "intranet" type of application you can download the
IIS Resourcekit Tools and generate one to use, but you'll
never get past the warnings.

PL.
Nov 18 '05 #8

This discussion thread is closed

Replies have been disabled for this discussion.