"mfeingold" <mf*******@discussions.microsoft.com> wrote in message
news:70**********************************@microsof t.com...
You can mix and match http and https as a means to access the same pages
any
way you want, but you have to be really careful about this. This can
create
security holes. For instance, a hacker can wait for somebody to
authenticate
and when the user switches to a non-protected page, using network sniffer
steal his session cookie. Knowing the value of this cookie the hacker will
be
able to connect to the existing session impersonating the authenticated
user
and circumventing your authentication.
How can you, after being successfully authenticated by the SSL site (Logon
page protected by SSL), being redirected to a non-SSL page and expect the
non-SSL page to understand the encrypted session or how can you pass the
authenticated package to a non-SSL page.
Example: From a
https://mysite1.com/Login.Aspx, calls
http://mysite2.com/somePage.aspx. In this "somePage.aspx.OnPage_Load event",
how the "if(this.IsAuthenticated)" instruction work ? How does it know that
your user has been authenticated successfully from the 1st login site ? How
can the 2nd site decrypt the SSL/encrypted package sent in the 1st site if
it is possible ?
Thanks,
John