Forms Authentication and SSL

Discussion in 'ASP .Net Security' started by Michael Tissington, Oct 21, 2003.

  1. I'm using Forms Authentication, the user may come from a HTTP page, the
    login page is using SSL, so after logging in the user will be redirected
    back to a non SSL page.

    This used to work without any warnings. Suddenly after entering the login
    information IE is warning the user that they are being redirected to a non
    secure page.

    What is causing this?

    If I change the login page to non ssl (just HTTP) then I don't get the
    problem.

    How can I use SSL for the login page and not prompt the user when they are
    being redirected?

    Thanks.

    --
    Michael Tissington
    http://www.tabtag.com
    http://www.oaklodge.com
     
    Michael Tissington, Oct 21, 2003
    #1
    1. Advertising

  2. Hi Michael,

    From security consideration, IE will prompt us this security alert either
    when we enter into a secure website from a non-secure one, or vice versa.
    To my knowledge, we cannot dismiss this alert, unless we check the "In the
    future, do not show this warning" checkbox.

    This security alert is very useful in the case if we want to send out our
    secret information, such as credit account number, password, over internet.
    With this alert, we should be notified whether the web site we are
    communicating is a real secure or valid web site before sending out the
    secret information. Without this security alert, we have no sense whether
    the web site is secure.

    Does it answer your question? If I have misunderstood your concern, please
    feel free to let me know.

    Best regards,

    Jacob Yang
    Microsoft Online Partner Support
    Get Secure! ¨C www.microsoft.com/security
    This posting is provided "as is" with no warranties and confers no rights.
     
    Jacob Yang [MSFT], Oct 22, 2003
    #2
    1. Advertising

  3. Jacob,

    Yes, it partly answers my question.

    The other aspect of this is how do I use forms authentication with SSL

    Consider the following

    1) User views a non SSL page
    2) Clicks on a link which requires forms authentication
    3) Web.config points to a https page for the login information
    4) Using SSL the login information is collected
    5) How then does the redirection back to the refering page work?
    is it SSL or the original protocol - can it be specified?

    Basically we are are just wanting to collect the user information using SSL
    and then return to the protocol that was using when the user clicked on the
    link (which may or may not be https)

    Thanks.

    --
    Michael Tissington
    http://www.tabtag.com
    http://www.oaklodge.com


    "Jacob Yang [MSFT]" <> wrote in message
    news:TF$...
    > Hi Michael,
    >
    > From security consideration, IE will prompt us this security alert either
    > when we enter into a secure website from a non-secure one, or vice versa.
    > To my knowledge, we cannot dismiss this alert, unless we check the "In the
    > future, do not show this warning" checkbox.
    >
    > This security alert is very useful in the case if we want to send out our
    > secret information, such as credit account number, password, over

    internet.
    > With this alert, we should be notified whether the web site we are
    > communicating is a real secure or valid web site before sending out the
    > secret information. Without this security alert, we have no sense whether
    > the web site is secure.
    >
    > Does it answer your question? If I have misunderstood your concern, please
    > feel free to let me know.
    >
    > Best regards,
    >
    > Jacob Yang
    > Microsoft Online Partner Support
    > Get Secure! ¨C www.microsoft.com/security
    > This posting is provided "as is" with no warranties and confers no rights.
    >
     
    Michael Tissington, Oct 22, 2003
    #3
  4. Michael Tissington

    MSFT Guest

    Hi Michael,

    Is the login form (SSL required) in the same web application or virtual
    folder?

    With FormsAuthentication.RedirectFromLoginPage method, we can't specufy the
    protocol or get the source protocol from From FormsAuthentication object.

    Luke
    Microsoft Online Support

    Get Secure! www.microsoft.com/security
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)
     
    MSFT, Oct 23, 2003
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?Z21hcnF1ZXo=?=

    Strange behavior using SSL and "FORMS" authentication.

    =?Utf-8?B?Z21hcnF1ZXo=?=, Jan 6, 2004, in forum: ASP .Net
    Replies:
    3
    Views:
    646
    Hermit Dave
    Jan 6, 2004
  2. Eric
    Replies:
    2
    Views:
    1,544
    Tommy
    Feb 13, 2004
  3. Marco Roello

    Forms Authentication and SSL

    Marco Roello, Jul 15, 2003, in forum: ASP .Net Security
    Replies:
    0
    Views:
    128
    Marco Roello
    Jul 15, 2003
  4. Marco Roello

    ssl with <forms authentication> and loginurl problem

    Marco Roello, Jul 21, 2003, in forum: ASP .Net Security
    Replies:
    0
    Views:
    188
    Marco Roello
    Jul 21, 2003
  5. Eric
    Replies:
    2
    Views:
    608
Loading...

Share This Page