472,125 Members | 1,393 Online
Bytes | Software Development & Data Engineering Community
Post +

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 472,125 software developers and data experts.

How to Use SSL only for Login.aspx page

Hi,

I have a scenario where i need to configure only Login.aspx page to use
SSL. All other application will run on HTTP protocol. If someone can
guide me how to accomplish this. One of my idea is to keep login.aspx
page in a seperate Virtual director and apply SSL only on that
directory but i dont know if it will have an impact on session (may be
it will create two sessions due to two different virtual directories).
If some one can guide me what is best practice to accomplish it.

Regards,

BizWorld

May 24 '06 #1
6 4574
Just guide people to your HTTPS://www.YourWebsite.com/Login.aspx. Once you
have authenticated the user then redirect them to
HTTP//www.YourWebsite.com/Whereever.aspx this should work. The code to
redirect is

response.Redirect( HTTP//www.YourWebsite.com/Whereever.aspx ).

What I don't understand is way you are having them log in but then send them
to an unsecured site. Unless you are using session to validate login.

good luck

Momo

"BizWorld" <mo**********@gmail.com> wrote in message
news:11**********************@38g2000cwa.googlegro ups.com...
Hi,

I have a scenario where i need to configure only Login.aspx page to use
SSL. All other application will run on HTTP protocol. If someone can
guide me how to accomplish this. One of my idea is to keep login.aspx
page in a seperate Virtual director and apply SSL only on that
directory but i dont know if it will have an impact on session (may be
it will create two sessions due to two different virtual directories).
If some one can guide me what is best practice to accomplish it.

Regards,

BizWorld

May 25 '06 #2
Hi, momo

I'm trying to do exact the same thing, but if I used response.redirect
method, the session value got lost, such that
HTTP//www.YourWebsite.com/Whereever.aspx will not be able to let the
authorized user to access it

Is it possible to bring the session variable across from https to http? or
any suggestion to resolve this issue?

Keith
"momo" <ma***@seeourweb.com> wrote in message
news:eS**************@TK2MSFTNGP05.phx.gbl...
Just guide people to your HTTPS://www.YourWebsite.com/Login.aspx. Once you
have authenticated the user then redirect them to
HTTP//www.YourWebsite.com/Whereever.aspx this should work. The code to
redirect is

response.Redirect( HTTP//www.YourWebsite.com/Whereever.aspx ).

What I don't understand is way you are having them log in but then send
them to an unsecured site. Unless you are using session to validate login.

good luck

Momo

"BizWorld" <mo**********@gmail.com> wrote in message
news:11**********************@38g2000cwa.googlegro ups.com...
Hi,

I have a scenario where i need to configure only Login.aspx page to use
SSL. All other application will run on HTTP protocol. If someone can
guide me how to accomplish this. One of my idea is to keep login.aspx
page in a seperate Virtual director and apply SSL only on that
directory but i dont know if it will have an impact on session (may be
it will create two sessions due to two different virtual directories).
If some one can guide me what is best practice to accomplish it.

Regards,

BizWorld


May 25 '06 #3
Hello Keith,

I would suggest passing the session to a hidden textbox and then retrieve it
from the unsecured page. This way no one can see the session value. It will
take two steps to do this.

When your login page authenticates a user you have to take them to another
secure page or you could use the same one. But in the page you will have a
form with a hidden textbox and a button that ask the user to click to
proceed, this button will then redirect then to the unsecure page. Then on
the unsecured page retrieve the hidden textbox value and put it into a
session and off you go.

Good luck

Momo

"Rabbit" <a@a.com> wrote in message
news:%2*****************@TK2MSFTNGP05.phx.gbl...
Hi, momo

I'm trying to do exact the same thing, but if I used response.redirect
method, the session value got lost, such that
HTTP//www.YourWebsite.com/Whereever.aspx will not be able to let the
authorized user to access it

Is it possible to bring the session variable across from https to http? or
any suggestion to resolve this issue?

Keith
"momo" <ma***@seeourweb.com> wrote in message
news:eS**************@TK2MSFTNGP05.phx.gbl...
Just guide people to your HTTPS://www.YourWebsite.com/Login.aspx. Once
you have authenticated the user then redirect them to
HTTP//www.YourWebsite.com/Whereever.aspx this should work. The code to
redirect is

response.Redirect( HTTP//www.YourWebsite.com/Whereever.aspx ).

What I don't understand is way you are having them log in but then send
them to an unsecured site. Unless you are using session to validate
login.

good luck

Momo

"BizWorld" <mo**********@gmail.com> wrote in message
news:11**********************@38g2000cwa.googlegro ups.com...
Hi,

I have a scenario where i need to configure only Login.aspx page to use
SSL. All other application will run on HTTP protocol. If someone can
guide me how to accomplish this. One of my idea is to keep login.aspx
page in a seperate Virtual director and apply SSL only on that
directory but i dont know if it will have an impact on session (may be
it will create two sessions due to two different virtual directories).
If some one can guide me what is best practice to accomplish it.

Regards,

BizWorld



May 25 '06 #4
Hi, momo,

yeap, got it, will try it out! thanks very much!

Keith
"momo" <ma***@seeourweb.com> wrote in message
news:%2****************@TK2MSFTNGP04.phx.gbl...
Hello Keith,

I would suggest passing the session to a hidden textbox and then retrieve
it from the unsecured page. This way no one can see the session value. It
will take two steps to do this.

When your login page authenticates a user you have to take them to another
secure page or you could use the same one. But in the page you will have a
form with a hidden textbox and a button that ask the user to click to
proceed, this button will then redirect then to the unsecure page. Then on
the unsecured page retrieve the hidden textbox value and put it into a
session and off you go.

Good luck

Momo

"Rabbit" <a@a.com> wrote in message
news:%2*****************@TK2MSFTNGP05.phx.gbl...
Hi, momo

I'm trying to do exact the same thing, but if I used response.redirect
method, the session value got lost, such that
HTTP//www.YourWebsite.com/Whereever.aspx will not be able to let the
authorized user to access it

Is it possible to bring the session variable across from https to http?
or any suggestion to resolve this issue?

Keith
"momo" <ma***@seeourweb.com> wrote in message
news:eS**************@TK2MSFTNGP05.phx.gbl...
Just guide people to your HTTPS://www.YourWebsite.com/Login.aspx. Once
you have authenticated the user then redirect them to
HTTP//www.YourWebsite.com/Whereever.aspx this should work. The code to
redirect is

response.Redirect( HTTP//www.YourWebsite.com/Whereever.aspx ).

What I don't understand is way you are having them log in but then send
them to an unsecured site. Unless you are using session to validate
login.

good luck

Momo

"BizWorld" <mo**********@gmail.com> wrote in message
news:11**********************@38g2000cwa.googlegro ups.com...
Hi,

I have a scenario where i need to configure only Login.aspx page to use
SSL. All other application will run on HTTP protocol. If someone can
guide me how to accomplish this. One of my idea is to keep login.aspx
page in a seperate Virtual director and apply SSL only on that
directory but i dont know if it will have an impact on session (may be
it will create two sessions due to two different virtual directories).
If some one can guide me what is best practice to accomplish it.

Regards,

BizWorld



May 26 '06 #5
Hi, momo

I'm sorry to bother you again, I have tried different ways to get the value
of the source page(such as request.form("hiddenLogin")), I still cannot
retrieve the hidden textbox value from the secure page, in fact seems to me
using redirect method will lost values of all controls. As I can use
querystring to passed the authenticated info. Can you tell me how can you
implement this?

Thanks in advance!
Keith
"momo" <ma***@seeourweb.com> wrote in message
news:%2****************@TK2MSFTNGP04.phx.gbl...
Hello Keith,

I would suggest passing the session to a hidden textbox and then retrieve
it from the unsecured page. This way no one can see the session value. It
will take two steps to do this.

When your login page authenticates a user you have to take them to another
secure page or you could use the same one. But in the page you will have a
form with a hidden textbox and a button that ask the user to click to
proceed, this button will then redirect then to the unsecure page. Then on
the unsecured page retrieve the hidden textbox value and put it into a
session and off you go.

Good luck

Momo

"Rabbit" <a@a.com> wrote in message
news:%2*****************@TK2MSFTNGP05.phx.gbl...
Hi, momo

I'm trying to do exact the same thing, but if I used response.redirect
method, the session value got lost, such that
HTTP//www.YourWebsite.com/Whereever.aspx will not be able to let the
authorized user to access it

Is it possible to bring the session variable across from https to http?
or any suggestion to resolve this issue?

Keith
"momo" <ma***@seeourweb.com> wrote in message
news:eS**************@TK2MSFTNGP05.phx.gbl...
Just guide people to your HTTPS://www.YourWebsite.com/Login.aspx. Once
you have authenticated the user then redirect them to
HTTP//www.YourWebsite.com/Whereever.aspx this should work. The code to
redirect is

response.Redirect( HTTP//www.YourWebsite.com/Whereever.aspx ).

What I don't understand is way you are having them log in but then send
them to an unsecured site. Unless you are using session to validate
login.

good luck

Momo

"BizWorld" <mo**********@gmail.com> wrote in message
news:11**********************@38g2000cwa.googlegro ups.com...
Hi,

I have a scenario where i need to configure only Login.aspx page to use
SSL. All other application will run on HTTP protocol. If someone can
guide me how to accomplish this. One of my idea is to keep login.aspx
page in a seperate Virtual director and apply SSL only on that
directory but i dont know if it will have an impact on session (may be
it will create two sessions due to two different virtual directories).
If some one can guide me what is best practice to accomplish it.

Regards,

BizWorld



May 26 '06 #6
Rabbit,

I would not recommend passing the session info in your URL because that
would defeat the purpose of logging in. All someone would need to know is
the link and they can bypass the login page. As for why it does not work I
don't know. But I found something that might help. Try it and if it work
reply back to me and them to the post.

Here you go.

###########################################
a.. A52: At first, you should know, that if you share an unsecured session
with a secure session, you void the security of the https session, since a
network sniffer, could retrieve the cookie and use identity theft on the
https session!
However, we have made ISP Session as safe as possible for you
The steps to follow to share a session and to fix the security hole you
create by sharing a http session with https.

a.. In global.asa set Application("CookieNoSSL") = True.
b.. Just before you redirect to https set Session.ReEntrance = True, this
allows a browser to continue a session while the hostname or even the
complete URL changes.
c.. At the redirected page, you disable ReEntrance again by
Session.ReEntrance = False. If you go back to http, you should repeat the
same trick.
d.. To fix the security hole of sharing secure between unsecure (and vice
versa) you should set Session.LiquidCookie = True in Session_OnStart.
Note that you should thoroughly test your site after setting this option.
LiquidCookies causes a session key to be valid for just one page request,
after that request, a new key is automatically generated and established
with your browser! So if a browser misses just one request, the session is
lost.
#########################################
Good luck.

Momo.

"Rabbit" <a@a.com> wrote in message
news:eM**************@TK2MSFTNGP03.phx.gbl...
Hi, momo

I'm sorry to bother you again, I have tried different ways to get the
value of the source page(such as request.form("hiddenLogin")), I still
cannot retrieve the hidden textbox value from the secure page, in fact
seems to me using redirect method will lost values of all controls. As I
can use querystring to passed the authenticated info. Can you tell me how
can you implement this?

Thanks in advance!
Keith
"momo" <ma***@seeourweb.com> wrote in message
news:%2****************@TK2MSFTNGP04.phx.gbl...
Hello Keith,

I would suggest passing the session to a hidden textbox and then retrieve
it from the unsecured page. This way no one can see the session value. It
will take two steps to do this.

When your login page authenticates a user you have to take them to
another secure page or you could use the same one. But in the page you
will have a form with a hidden textbox and a button that ask the user to
click to proceed, this button will then redirect then to the unsecure
page. Then on the unsecured page retrieve the hidden textbox value and
put it into a session and off you go.

Good luck

Momo

"Rabbit" <a@a.com> wrote in message
news:%2*****************@TK2MSFTNGP05.phx.gbl...
Hi, momo

I'm trying to do exact the same thing, but if I used response.redirect
method, the session value got lost, such that
HTTP//www.YourWebsite.com/Whereever.aspx will not be able to let the
authorized user to access it

Is it possible to bring the session variable across from https to http?
or any suggestion to resolve this issue?

Keith
"momo" <ma***@seeourweb.com> wrote in message
news:eS**************@TK2MSFTNGP05.phx.gbl...
Just guide people to your HTTPS://www.YourWebsite.com/Login.aspx. Once
you have authenticated the user then redirect them to
HTTP//www.YourWebsite.com/Whereever.aspx this should work. The code to
redirect is

response.Redirect( HTTP//www.YourWebsite.com/Whereever.aspx ).

What I don't understand is way you are having them log in but then send
them to an unsecured site. Unless you are using session to validate
login.

good luck

Momo

"BizWorld" <mo**********@gmail.com> wrote in message
news:11**********************@38g2000cwa.googlegro ups.com...
> Hi,
>
> I have a scenario where i need to configure only Login.aspx page to
> use
> SSL. All other application will run on HTTP protocol. If someone can
> guide me how to accomplish this. One of my idea is to keep login.aspx
> page in a seperate Virtual director and apply SSL only on that
> directory but i dont know if it will have an impact on session (may be
> it will create two sessions due to two different virtual directories).
> If some one can guide me what is best practice to accomplish it.
>
> Regards,
>
> BizWorld
>



May 26 '06 #7

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

1 post views Thread by frekster | last post: by
1 post views Thread by frolda | last post: by
reply views Thread by PolarBears | last post: by
2 posts views Thread by vikramp | last post: by
3 posts views Thread by Andy B | last post: by
reply views Thread by chet | last post: by

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.