Forms Authentication and SSL

M

Michael Tissington

I'm using Forms Authentication, the user may come from a HTTP page, the
login page is using SSL, so after logging in the user will be redirected
back to a non SSL page.

This used to work without any warnings. Suddenly after entering the login
information IE is warning the user that they are being redirected to a non
secure page.

What is causing this?

If I change the login page to non ssl (just HTTP) then I don't get the
problem.

How can I use SSL for the login page and not prompt the user when they are
being redirected?

Thanks.
 
J

Jacob Yang [MSFT]

Hi Michael,

From security consideration, IE will prompt us this security alert either
when we enter into a secure website from a non-secure one, or vice versa.
To my knowledge, we cannot dismiss this alert, unless we check the "In the
future, do not show this warning" checkbox.

This security alert is very useful in the case if we want to send out our
secret information, such as credit account number, password, over internet.
With this alert, we should be notified whether the web site we are
communicating is a real secure or valid web site before sending out the
secret information. Without this security alert, we have no sense whether
the web site is secure.

Does it answer your question? If I have misunderstood your concern, please
feel free to let me know.

Best regards,

Jacob Yang
Microsoft Online Partner Support
Get Secure! ¨C www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.
 
M

Michael Tissington

Jacob,

Yes, it partly answers my question.

The other aspect of this is how do I use forms authentication with SSL

Consider the following

1) User views a non SSL page
2) Clicks on a link which requires forms authentication
3) Web.config points to a https page for the login information
4) Using SSL the login information is collected
5) How then does the redirection back to the refering page work?
is it SSL or the original protocol - can it be specified?

Basically we are are just wanting to collect the user information using SSL
and then return to the protocol that was using when the user clicked on the
link (which may or may not be https)

Thanks.
 
M

MSFT

Hi Michael,

Is the login form (SSL required) in the same web application or virtual
folder?

With FormsAuthentication.RedirectFromLoginPage method, we can't specufy the
protocol or get the source protocol from From FormsAuthentication object.

Luke
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

SSL and Forms Authentication 2
Forms Authentication and SSL 0
Strange behavior using SSL and "FORMS" authentication. 2
SSL Forms Authentication Redirect - Problem Redirecting out of HTTPS 4
Forms Authentication and Cookies 2
Forms Authentication expiry issue 1
Form Authentication with SSL 1
Integrated Authentication with SSL 6

Members online

Total: 27 (members: 2, guests: 25)
Robots: 393

Forum statistics

Threads
473,755
Messages
2,569,536
Members
45,020
Latest member
GenesisGai

Latest Threads

Top