473,322 Members | 1,846 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,322 software developers and data experts.

SSL Question

I use Forms authentication to ensure that users login prior to accessing any
protected forms.
Works fine.

When they get redirected to the logon page I would like to know if an SSL
session could be established just for that page so their credentials are
sent over an encrypted channel.

I can set the whole site to use SSL. What I want to know is:
Can I set the site to not use SSL except for the logon page?

Thanks.

--
Joe Fallon

Nov 18 '05 #1
6 1422
WJ
No. Because when you define your SSL certificate, it is meant for the entire
site (either port 443). I do not think there is a way around.

John

"Joe Fallon" <jf******@nospamtwcny.rr.com> wrote in message
news:%2***************@TK2MSFTNGP11.phx.gbl...
I use Forms authentication to ensure that users login prior to accessing
any protected forms.
Works fine.

When they get redirected to the logon page I would like to know if an SSL
session could be established just for that page so their credentials are
sent over an encrypted channel.

I can set the whole site to use SSL. What I want to know is:
Can I set the site to not use SSL except for the logon page?

Thanks.

--
Joe Fallon

Nov 18 '05 #2
You can mix and match http and https as a means to access the same pages any
way you want, but you have to be really careful about this. This can create
security holes. For instance, a hacker can wait for somebody to authenticate
and when the user switches to a non-protected page, using network sniffer
steal his session cookie. Knowing the value of this cookie the hacker will be
able to connect to the existing session impersonating the authenticated user
and circumventing your authentication.

"Joe Fallon" wrote:
I use Forms authentication to ensure that users login prior to accessing any
protected forms.
Works fine.

When they get redirected to the logon page I would like to know if an SSL
session could be established just for that page so their credentials are
sent over an encrypted channel.

I can set the whole site to use SSL. What I want to know is:
Can I set the site to not use SSL except for the logon page?

Thanks.

--
Joe Fallon

Nov 18 '05 #3
WJ
"mfeingold" <mf*******@discussions.microsoft.com> wrote in message
news:70**********************************@microsof t.com...
You can mix and match http and https as a means to access the same pages
any
way you want, but you have to be really careful about this. This can
create
security holes. For instance, a hacker can wait for somebody to
authenticate
and when the user switches to a non-protected page, using network sniffer
steal his session cookie. Knowing the value of this cookie the hacker will
be
able to connect to the existing session impersonating the authenticated
user
and circumventing your authentication.


How can you, after being successfully authenticated by the SSL site (Logon
page protected by SSL), being redirected to a non-SSL page and expect the
non-SSL page to understand the encrypted session or how can you pass the
authenticated package to a non-SSL page.

Example: From a https://mysite1.com/Login.Aspx, calls
http://mysite2.com/somePage.aspx. In this "somePage.aspx.OnPage_Load event",
how the "if(this.IsAuthenticated)" instruction work ? How does it know that
your user has been authenticated successfully from the 1st login site ? How
can the 2nd site decrypt the SSL/encrypted package sent in the 1st site if
it is possible ?

Thanks,

John

Nov 18 '05 #4
You are right in the scenario you presented it is not possible, but this is
not the scenrio I was talking about.

Think of a site with a login page https://mysite1.com/Login.Aspx which after
login redirects to http://mysite1.com/SomeOther.aspx. The http response to
the second request will not be encrypted and will have the cookie with the
sessionID. If somebody would install a sniffer and intercept and parse this
request on its way from the web server to the web browser, he will be able to
figure out it all. And knowing the cookie, he will be able to connect to the
existing session on the server. Where he will be able to go from there all
depends on the design of the application, but the authentication is breached.

"WJ" wrote:
"mfeingold" <mf*******@discussions.microsoft.com> wrote in message
news:70**********************************@microsof t.com...
You can mix and match http and https as a means to access the same pages
any
way you want, but you have to be really careful about this. This can
create
security holes. For instance, a hacker can wait for somebody to
authenticate
and when the user switches to a non-protected page, using network sniffer
steal his session cookie. Knowing the value of this cookie the hacker will
be
able to connect to the existing session impersonating the authenticated
user
and circumventing your authentication.


How can you, after being successfully authenticated by the SSL site (Logon
page protected by SSL), being redirected to a non-SSL page and expect the
non-SSL page to understand the encrypted session or how can you pass the
authenticated package to a non-SSL page.

Example: From a https://mysite1.com/Login.Aspx, calls
http://mysite2.com/somePage.aspx. In this "somePage.aspx.OnPage_Load event",
how the "if(this.IsAuthenticated)" instruction work ? How does it know that
your user has been authenticated successfully from the 1st login site ? How
can the 2nd site decrypt the SSL/encrypted package sent in the 1st site if
it is possible ?

Thanks,

John

Nov 18 '05 #5
Keep in mind that ssl is a transport level encryption. ASP .net never sees
the encrypted state. An encrypted ssl request and an unecrypted non-ssl
request look exactly the same to asp .net. Also, I've seen sites that have
the login page use ssl and then submit to a non-ssl page for processing.
This means that the password and user name are sent in an unencrypted
fashion. HTH, Scott
Nov 18 '05 #6
WJ
Thanks all for clarification. I am still not convinced fully, I am testing
yours to see if this is possible.

John
Nov 18 '05 #7

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

3
by: Stevey | last post by:
I have the following XML file... <?xml version="1.0"?> <animals> <animal> <name>Tiger</name> <questions> <question index="0">true</question> <question index="1">true</question> </questions>
3
by: Ekqvist Marko | last post by:
Hi, I have one Access database table including questions and answers. Now I need to give answer id automatically to questionID column. But I don't know how it is best (fastest) to do? table...
53
by: Jeff | last post by:
In the function below, can size ever be 0 (zero)? char *clc_strdup(const char * CLC_RESTRICT s) { size_t size; char *p; clc_assert_not_null(clc_strdup, s); size = strlen(s) + 1;
56
by: spibou | last post by:
In the statement "a *= expression" is expression assumed to be parenthesized ? For example if I write "a *= b+c" is this the same as "a = a * (b+c)" or "a = a * b+c" ?
2
by: Allan Ebdrup | last post by:
Hi, I'm trying to render a Matrix question in my ASP.Net 2.0 page, A matrix question is a question where you have several options that can all be rated according to several possible ratings (from...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
1
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.