Form Authentication with SSL

Discussion in 'ASP .Net Security' started by wrytat, Apr 11, 2005.

  1. wrytat

    wrytat Guest

    If I use form authentication with SSL with my web application, when I access
    my login page, I will go to https://www.mydomainname.com/login.aspx. After
    login, say I redirect the user to afterlogin.aspx. Will my address remain as
    https://www.mydomainname.com/afterlogin.aspx?

    Can I explicitly redirect it to http://www.mydomainname.com/afterlogin.aspx?
    Is this a good practice?

    This is because my ISP requires me to put every aspx file that requires SSL
    encryption in a "/secure" folder, and to access it, users have to go to
    https://secure.my-ISP-domain-name.com/my-domain-name/filename.aspx. So, most
    probably, I'll put my login page in that folder, while the other files, I'll
    put in other folder since I only need SSL for login. Am I right?
    wrytat, Apr 11, 2005
    #1
    1. Advertising

  2. wrytat

    Brock Allen Guest

    > If I use form authentication with SSL with my web application, when I
    > access my login page, I will go to
    > https://www.mydomainname.com/login.aspx. After login, say I redirect
    > the user to afterlogin.aspx. Will my address remain as
    > https://www.mydomainname.com/afterlogin.aspx?


    Yeah, the RedirectFromLoginPage will keep the https protocol in the address.

    > Can I explicitly redirect it to
    > http://www.mydomainname.com/afterlogin.aspx? Is this a good practice?


    You can. Instead of FormsAuthenticaytion.RedirectFromLoginPage, just call
    FormsAuthentication.SetAuthCookie and then do your own redirect. People do
    this all the time to redirect based upon the specific user.

    > This is because my ISP requires me to put every aspx file that
    > requires SSL encryption in a "/secure" folder, and to access it, users
    > have to go to
    > https://secure.my-ISP-domain-name.com/my-domain-name/filename.aspx.


    Hmm, ok. If they say so :)

    > So, most probably, I'll put my login page in that folder, while the
    > other files, I'll put in other folder since I only need SSL for login.
    > Am I right?


    Well, the one thing to keep in mind is that once they've logged in, the cookie
    sent back to the browser is what identifies the user. So if the browser is
    sending cookies over a non secure channel (http vs https) then if I'm an
    attacker and I'm sniffing network packats I could potentially steal the cookie
    and then use it was my own. So, if your app is important then I'd make all
    pages that require authentication go over https. For other pages they can
    go over http but only if the browser doesn't send the cookie and this can
    be requested by a web.config setting:

    <forms>
    requireSSL="true"
    </forms>

    -Brock
    DevelopMentor
    http://staff.develop.com/ballen
    Brock Allen, Apr 11, 2005
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. 620
    Replies:
    2
    Views:
    987
    Murat Tunaboylu
    Jan 6, 2004
  2. CW
    Replies:
    2
    Views:
    506
  3. Sean Wolfe
    Replies:
    1
    Views:
    2,240
    Joerg Jooss
    Apr 28, 2005
  4. emukang
    Replies:
    0
    Views:
    2,844
    emukang
    Dec 20, 2005
  5. Matti Kiviharju

    Problem with SSL (Newbie with SSL)

    Matti Kiviharju, Jan 14, 2005, in forum: HTML
    Replies:
    0
    Views:
    386
    Matti Kiviharju
    Jan 14, 2005
Loading...

Share This Page