How to use SSL for login page only

Discussion in 'ASP .Net Security' started by Cory J. Laidlaw, Beyond01.com, Mar 5, 2008.

  1. Hi there,

    I need to setup a web site that starts with a public home page.

    I would then like to have a link to a login page so I can authenticate them
    against a database.

    When I launch my project, it starts under HTTP, which is great. How can I
    make sure the Login page is under HTTPS?

    Thanks for any help you can provide!

    Cory
    Cory J. Laidlaw, Beyond01.com, Mar 5, 2008
    #1
    1. Advertising

  2. Cory J. Laidlaw, Beyond01.com

    Joe Kaplan Guest

    Why would you put only the login page under SSL? What makes you think that
    provides any security? Sure, you can encrypt the connection when the user
    is providing their plaintext password, but if someone snoops on a different
    request that isn't encrypted and steals the user's cookie (just as easy as
    stealing the pwd from the form post), they own the user just the same. It
    begs the question as to why bothering with SSL at all.

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "Cory J. Laidlaw, Beyond01.com"
    <> wrote in message
    news:D...
    > Hi there,
    >
    > I need to setup a web site that starts with a public home page.
    >
    > I would then like to have a link to a login page so I can authenticate
    > them
    > against a database.
    >
    > When I launch my project, it starts under HTTP, which is great. How can I
    > make sure the Login page is under HTTPS?
    >
    > Thanks for any help you can provide!
    >
    > Cory
    Joe Kaplan, Mar 6, 2008
    #2
    1. Advertising

  3. Joe,

    thanks for responding. I see your point.

    I just notice that several websites only employ SSL at certain periods, say
    when providing credit card information. Once completed, they turn SSL off
    again.

    Cory

    "Joe Kaplan" wrote:

    > Why would you put only the login page under SSL? What makes you think that
    > provides any security? Sure, you can encrypt the connection when the user
    > is providing their plaintext password, but if someone snoops on a different
    > request that isn't encrypted and steals the user's cookie (just as easy as
    > stealing the pwd from the form post), they own the user just the same. It
    > begs the question as to why bothering with SSL at all.
    >
    > Joe K.
    >
    > --
    > Joe Kaplan-MS MVP Directory Services Programming
    > Co-author of "The .NET Developer's Guide to Directory Services Programming"
    > http://www.directoryprogramming.net
    > --
    > "Cory J. Laidlaw, Beyond01.com"
    > <> wrote in message
    > news:D...
    > > Hi there,
    > >
    > > I need to setup a web site that starts with a public home page.
    > >
    > > I would then like to have a link to a login page so I can authenticate
    > > them
    > > against a database.
    > >
    > > When I launch my project, it starts under HTTP, which is great. How can I
    > > make sure the Login page is under HTTPS?
    > >
    > > Thanks for any help you can provide!
    > >
    > > Cory

    >
    >
    >
    Cory J. Laidlaw, Beyond01.com, Mar 6, 2008
    #3
  4. Cory J. Laidlaw, Beyond01.com

    Joe Kaplan Guest

    That may be ok too, as long as EVERY request to the server that needs to be
    secure goes though SSL. If you just secure the login page, that likely
    isn't enough. If you see a site doing that, I would not use it. I
    especially would not give them your credit card. :)

    You can partition your site into secure and unsecure areas. You can also
    set flags on your forms auth cookie to tell the browser to only send it on
    an SSL connection (called the "Secure" flag). That is an important detail
    to remember. I'd also set the HttpOnly flag on the cookie while you are at
    it, as that helps prevent against a variety of cross site scripting attacks.

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "Cory J. Laidlaw, Beyond01.com"
    <> wrote in message
    news:...
    > Joe,
    >
    > thanks for responding. I see your point.
    >
    > I just notice that several websites only employ SSL at certain periods,
    > say
    > when providing credit card information. Once completed, they turn SSL off
    > again.
    >
    > Cory
    >
    > "Joe Kaplan" wrote:
    >
    >> Why would you put only the login page under SSL? What makes you think
    >> that
    >> provides any security? Sure, you can encrypt the connection when the
    >> user
    >> is providing their plaintext password, but if someone snoops on a
    >> different
    >> request that isn't encrypted and steals the user's cookie (just as easy
    >> as
    >> stealing the pwd from the form post), they own the user just the same.
    >> It
    >> begs the question as to why bothering with SSL at all.
    >>
    >> Joe K.
    >>
    >> --
    >> Joe Kaplan-MS MVP Directory Services Programming
    >> Co-author of "The .NET Developer's Guide to Directory Services
    >> Programming"
    >> http://www.directoryprogramming.net
    >> --
    >> "Cory J. Laidlaw, Beyond01.com"
    >> <> wrote in message
    >> news:D...
    >> > Hi there,
    >> >
    >> > I need to setup a web site that starts with a public home page.
    >> >
    >> > I would then like to have a link to a login page so I can authenticate
    >> > them
    >> > against a database.
    >> >
    >> > When I launch my project, it starts under HTTP, which is great. How can
    >> > I
    >> > make sure the Login page is under HTTPS?
    >> >
    >> > Thanks for any help you can provide!
    >> >
    >> > Cory

    >>
    >>
    >>
    Joe Kaplan, Mar 6, 2008
    #4
  5. hey Joe,

    Thanks for the advice. Do you know where I might see an example of how to
    set this tag?

    Thanks!

    Cory

    "Joe Kaplan" wrote:

    > That may be ok too, as long as EVERY request to the server that needs to be
    > secure goes though SSL. If you just secure the login page, that likely
    > isn't enough. If you see a site doing that, I would not use it. I
    > especially would not give them your credit card. :)
    >
    > You can partition your site into secure and unsecure areas. You can also
    > set flags on your forms auth cookie to tell the browser to only send it on
    > an SSL connection (called the "Secure" flag). That is an important detail
    > to remember. I'd also set the HttpOnly flag on the cookie while you are at
    > it, as that helps prevent against a variety of cross site scripting attacks.
    >
    > Joe K.
    >
    > --
    > Joe Kaplan-MS MVP Directory Services Programming
    > Co-author of "The .NET Developer's Guide to Directory Services Programming"
    > http://www.directoryprogramming.net
    > --
    > "Cory J. Laidlaw, Beyond01.com"
    > <> wrote in message
    > news:...
    > > Joe,
    > >
    > > thanks for responding. I see your point.
    > >
    > > I just notice that several websites only employ SSL at certain periods,
    > > say
    > > when providing credit card information. Once completed, they turn SSL off
    > > again.
    > >
    > > Cory
    > >
    > > "Joe Kaplan" wrote:
    > >
    > >> Why would you put only the login page under SSL? What makes you think
    > >> that
    > >> provides any security? Sure, you can encrypt the connection when the
    > >> user
    > >> is providing their plaintext password, but if someone snoops on a
    > >> different
    > >> request that isn't encrypted and steals the user's cookie (just as easy
    > >> as
    > >> stealing the pwd from the form post), they own the user just the same.
    > >> It
    > >> begs the question as to why bothering with SSL at all.
    > >>
    > >> Joe K.
    > >>
    > >> --
    > >> Joe Kaplan-MS MVP Directory Services Programming
    > >> Co-author of "The .NET Developer's Guide to Directory Services
    > >> Programming"
    > >> http://www.directoryprogramming.net
    > >> --
    > >> "Cory J. Laidlaw, Beyond01.com"
    > >> <> wrote in message
    > >> news:D...
    > >> > Hi there,
    > >> >
    > >> > I need to setup a web site that starts with a public home page.
    > >> >
    > >> > I would then like to have a link to a login page so I can authenticate
    > >> > them
    > >> > against a database.
    > >> >
    > >> > When I launch my project, it starts under HTTP, which is great. How can
    > >> > I
    > >> > make sure the Login page is under HTTPS?
    > >> >
    > >> > Thanks for any help you can provide!
    > >> >
    > >> > Cory
    > >>
    > >>
    > >>

    >
    >
    >
    Cory J. Laidlaw, Beyond01.com, Mar 6, 2008
    #5
  6. Cory J. Laidlaw, Beyond01.com

    Joe Kaplan Guest

    Setting requireSSL to True in the web.config for the forms authentication
    section will take care of the Secure flag. I'd check out the additional
    MSDN docs and articles on Forms auth to get more details. Here is one
    starting place:

    http://msdn2.microsoft.com/en-us/library/1d3t3c61.aspx

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "Cory J. Laidlaw, Beyond01.com"
    <> wrote in message
    news:...
    > hey Joe,
    >
    > Thanks for the advice. Do you know where I might see an example of how to
    > set this tag?
    >
    > Thanks!
    >
    > Cory
    >
    > "Joe Kaplan" wrote:
    >
    >> That may be ok too, as long as EVERY request to the server that needs to
    >> be
    >> secure goes though SSL. If you just secure the login page, that likely
    >> isn't enough. If you see a site doing that, I would not use it. I
    >> especially would not give them your credit card. :)
    >>
    >> You can partition your site into secure and unsecure areas. You can also
    >> set flags on your forms auth cookie to tell the browser to only send it
    >> on
    >> an SSL connection (called the "Secure" flag). That is an important
    >> detail
    >> to remember. I'd also set the HttpOnly flag on the cookie while you are
    >> at
    >> it, as that helps prevent against a variety of cross site scripting
    >> attacks.
    >>
    >> Joe K.
    >>
    >> --
    >> Joe Kaplan-MS MVP Directory Services Programming
    >> Co-author of "The .NET Developer's Guide to Directory Services
    >> Programming"
    >> http://www.directoryprogramming.net
    >> --
    >> "Cory J. Laidlaw, Beyond01.com"
    >> <> wrote in message
    >> news:...
    >> > Joe,
    >> >
    >> > thanks for responding. I see your point.
    >> >
    >> > I just notice that several websites only employ SSL at certain periods,
    >> > say
    >> > when providing credit card information. Once completed, they turn SSL
    >> > off
    >> > again.
    >> >
    >> > Cory
    >> >
    >> > "Joe Kaplan" wrote:
    >> >
    >> >> Why would you put only the login page under SSL? What makes you think
    >> >> that
    >> >> provides any security? Sure, you can encrypt the connection when the
    >> >> user
    >> >> is providing their plaintext password, but if someone snoops on a
    >> >> different
    >> >> request that isn't encrypted and steals the user's cookie (just as
    >> >> easy
    >> >> as
    >> >> stealing the pwd from the form post), they own the user just the same.
    >> >> It
    >> >> begs the question as to why bothering with SSL at all.
    >> >>
    >> >> Joe K.
    >> >>
    >> >> --
    >> >> Joe Kaplan-MS MVP Directory Services Programming
    >> >> Co-author of "The .NET Developer's Guide to Directory Services
    >> >> Programming"
    >> >> http://www.directoryprogramming.net
    >> >> --
    >> >> "Cory J. Laidlaw, Beyond01.com"
    >> >> <> wrote in message
    >> >> news:D...
    >> >> > Hi there,
    >> >> >
    >> >> > I need to setup a web site that starts with a public home page.
    >> >> >
    >> >> > I would then like to have a link to a login page so I can
    >> >> > authenticate
    >> >> > them
    >> >> > against a database.
    >> >> >
    >> >> > When I launch my project, it starts under HTTP, which is great. How
    >> >> > can
    >> >> > I
    >> >> > make sure the Login page is under HTTPS?
    >> >> >
    >> >> > Thanks for any help you can provide!
    >> >> >
    >> >> > Cory
    >> >>
    >> >>
    >> >>

    >>
    >>
    >>
    Joe Kaplan, Mar 6, 2008
    #6
  7. Thanks for the link.

    So if I inteperet this article correctly, the setting in Web.Config declares
    that anytime an authentication COOKIE is sent, it is encrypted, correct?

    Does this force the entire page to be SSL Encrypted since it's in
    Web.Config, that would make the entire web encrypted, correct?

    I get why constantly encrypting the cookie is important because you don't
    want it exploited if someone captures it with a malicious script or something.

    You mentioned being able to partition the site into secured and unsecured
    pages. maybe this is truly what I need to do. Is there an example of how to
    do this? Is it just creating a new folder in the site and somehow marking
    that folder that it always requires SSL and then putting allo f the sensitive
    pages in the encrypted folder while keeping the public folders in the 'main'
    web?

    Thanks for your help

    "Joe Kaplan" wrote:

    > Setting requireSSL to True in the web.config for the forms authentication
    > section will take care of the Secure flag. I'd check out the additional
    > MSDN docs and articles on Forms auth to get more details. Here is one
    > starting place:
    >
    > http://msdn2.microsoft.com/en-us/library/1d3t3c61.aspx
    >
    > Joe K.
    >
    > --
    > Joe Kaplan-MS MVP Directory Services Programming
    > Co-author of "The .NET Developer's Guide to Directory Services Programming"
    > http://www.directoryprogramming.net
    > --
    > "Cory J. Laidlaw, Beyond01.com"
    > <> wrote in message
    > news:...
    > > hey Joe,
    > >
    > > Thanks for the advice. Do you know where I might see an example of how to
    > > set this tag?
    > >
    > > Thanks!
    > >
    > > Cory
    > >
    > > "Joe Kaplan" wrote:
    > >
    > >> That may be ok too, as long as EVERY request to the server that needs to
    > >> be
    > >> secure goes though SSL. If you just secure the login page, that likely
    > >> isn't enough. If you see a site doing that, I would not use it. I
    > >> especially would not give them your credit card. :)
    > >>
    > >> You can partition your site into secure and unsecure areas. You can also
    > >> set flags on your forms auth cookie to tell the browser to only send it
    > >> on
    > >> an SSL connection (called the "Secure" flag). That is an important
    > >> detail
    > >> to remember. I'd also set the HttpOnly flag on the cookie while you are
    > >> at
    > >> it, as that helps prevent against a variety of cross site scripting
    > >> attacks.
    > >>
    > >> Joe K.
    > >>
    > >> --
    > >> Joe Kaplan-MS MVP Directory Services Programming
    > >> Co-author of "The .NET Developer's Guide to Directory Services
    > >> Programming"
    > >> http://www.directoryprogramming.net
    > >> --
    > >> "Cory J. Laidlaw, Beyond01.com"
    > >> <> wrote in message
    > >> news:...
    > >> > Joe,
    > >> >
    > >> > thanks for responding. I see your point.
    > >> >
    > >> > I just notice that several websites only employ SSL at certain periods,
    > >> > say
    > >> > when providing credit card information. Once completed, they turn SSL
    > >> > off
    > >> > again.
    > >> >
    > >> > Cory
    > >> >
    > >> > "Joe Kaplan" wrote:
    > >> >
    > >> >> Why would you put only the login page under SSL? What makes you think
    > >> >> that
    > >> >> provides any security? Sure, you can encrypt the connection when the
    > >> >> user
    > >> >> is providing their plaintext password, but if someone snoops on a
    > >> >> different
    > >> >> request that isn't encrypted and steals the user's cookie (just as
    > >> >> easy
    > >> >> as
    > >> >> stealing the pwd from the form post), they own the user just the same.
    > >> >> It
    > >> >> begs the question as to why bothering with SSL at all.
    > >> >>
    > >> >> Joe K.
    > >> >>
    > >> >> --
    > >> >> Joe Kaplan-MS MVP Directory Services Programming
    > >> >> Co-author of "The .NET Developer's Guide to Directory Services
    > >> >> Programming"
    > >> >> http://www.directoryprogramming.net
    > >> >> --
    > >> >> "Cory J. Laidlaw, Beyond01.com"
    > >> >> <> wrote in message
    > >> >> news:D...
    > >> >> > Hi there,
    > >> >> >
    > >> >> > I need to setup a web site that starts with a public home page.
    > >> >> >
    > >> >> > I would then like to have a link to a login page so I can
    > >> >> > authenticate
    > >> >> > them
    > >> >> > against a database.
    > >> >> >
    > >> >> > When I launch my project, it starts under HTTP, which is great. How
    > >> >> > can
    > >> >> > I
    > >> >> > make sure the Login page is under HTTPS?
    > >> >> >
    > >> >> > Thanks for any help you can provide!
    > >> >> >
    > >> >> > Cory
    > >> >>
    > >> >>
    > >> >>
    > >>
    > >>
    > >>

    >
    >
    >
    Cory J. Laidlaw, Beyond01.com, Mar 6, 2008
    #7
  8. Cory J. Laidlaw, Beyond01.com

    Joe Kaplan Guest

    There are a couple of things going on here. First, when a cookie itself has
    the "Secure" flag set on it, all that does is provides an instruction to the
    browser when it receives the cookie to only send that cookie back to the
    server if the request is to an SSL protected site. It doesn't say anything
    about the contents of the cookie itself. Basically, this just ensures that
    a third party can't sniff your wire traffic and steal the cookie because SSL
    is encrypting the channel itself.

    For the cookie data to be encrypted, you need to use one of the protection
    level flags. I'd suggest cranking it all the way up to "All". This
    basically prevents the user from being able to interpret the cookie data or
    change it. What that does is prevents a valid user from doing something
    like changing the cookie data to impersonate a different user. You don't
    want them to be able to do that either.

    In terms of site partitioning, I'm sure there must be a good article on
    doing that somewhere. I haven't done it personally, so I'm probably not the
    best guy to ask about that. The sites I build are SSL-only, so I haven't
    had to deal with having a mix. :) I'm sure if you look around, you'll find
    some good resources though.

    Best of luck!

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "Cory J. Laidlaw, Beyond01.com"
    <> wrote in message
    news:...
    > Thanks for the link.
    >
    > So if I inteperet this article correctly, the setting in Web.Config
    > declares
    > that anytime an authentication COOKIE is sent, it is encrypted, correct?
    >
    > Does this force the entire page to be SSL Encrypted since it's in
    > Web.Config, that would make the entire web encrypted, correct?
    >
    > I get why constantly encrypting the cookie is important because you don't
    > want it exploited if someone captures it with a malicious script or
    > something.
    >
    > You mentioned being able to partition the site into secured and unsecured
    > pages. maybe this is truly what I need to do. Is there an example of how
    > to
    > do this? Is it just creating a new folder in the site and somehow marking
    > that folder that it always requires SSL and then putting allo f the
    > sensitive
    > pages in the encrypted folder while keeping the public folders in the
    > 'main'
    > web?
    >
    > Thanks for your help
    >
    > "Joe Kaplan" wrote:
    >
    >> Setting requireSSL to True in the web.config for the forms authentication
    >> section will take care of the Secure flag. I'd check out the additional
    >> MSDN docs and articles on Forms auth to get more details. Here is one
    >> starting place:
    >>
    >> http://msdn2.microsoft.com/en-us/library/1d3t3c61.aspx
    >>
    >> Joe K.
    >>
    >> --
    >> Joe Kaplan-MS MVP Directory Services Programming
    >> Co-author of "The .NET Developer's Guide to Directory Services
    >> Programming"
    >> http://www.directoryprogramming.net
    >> --
    >> "Cory J. Laidlaw, Beyond01.com"
    >> <> wrote in message
    >> news:...
    >> > hey Joe,
    >> >
    >> > Thanks for the advice. Do you know where I might see an example of how
    >> > to
    >> > set this tag?
    >> >
    >> > Thanks!
    >> >
    >> > Cory
    >> >
    >> > "Joe Kaplan" wrote:
    >> >
    >> >> That may be ok too, as long as EVERY request to the server that needs
    >> >> to
    >> >> be
    >> >> secure goes though SSL. If you just secure the login page, that
    >> >> likely
    >> >> isn't enough. If you see a site doing that, I would not use it. I
    >> >> especially would not give them your credit card. :)
    >> >>
    >> >> You can partition your site into secure and unsecure areas. You can
    >> >> also
    >> >> set flags on your forms auth cookie to tell the browser to only send
    >> >> it
    >> >> on
    >> >> an SSL connection (called the "Secure" flag). That is an important
    >> >> detail
    >> >> to remember. I'd also set the HttpOnly flag on the cookie while you
    >> >> are
    >> >> at
    >> >> it, as that helps prevent against a variety of cross site scripting
    >> >> attacks.
    >> >>
    >> >> Joe K.
    >> >>
    >> >> --
    >> >> Joe Kaplan-MS MVP Directory Services Programming
    >> >> Co-author of "The .NET Developer's Guide to Directory Services
    >> >> Programming"
    >> >> http://www.directoryprogramming.net
    >> >> --
    >> >> "Cory J. Laidlaw, Beyond01.com"
    >> >> <> wrote in message
    >> >> news:...
    >> >> > Joe,
    >> >> >
    >> >> > thanks for responding. I see your point.
    >> >> >
    >> >> > I just notice that several websites only employ SSL at certain
    >> >> > periods,
    >> >> > say
    >> >> > when providing credit card information. Once completed, they turn
    >> >> > SSL
    >> >> > off
    >> >> > again.
    >> >> >
    >> >> > Cory
    >> >> >
    >> >> > "Joe Kaplan" wrote:
    >> >> >
    >> >> >> Why would you put only the login page under SSL? What makes you
    >> >> >> think
    >> >> >> that
    >> >> >> provides any security? Sure, you can encrypt the connection when
    >> >> >> the
    >> >> >> user
    >> >> >> is providing their plaintext password, but if someone snoops on a
    >> >> >> different
    >> >> >> request that isn't encrypted and steals the user's cookie (just as
    >> >> >> easy
    >> >> >> as
    >> >> >> stealing the pwd from the form post), they own the user just the
    >> >> >> same.
    >> >> >> It
    >> >> >> begs the question as to why bothering with SSL at all.
    >> >> >>
    >> >> >> Joe K.
    >> >> >>
    >> >> >> --
    >> >> >> Joe Kaplan-MS MVP Directory Services Programming
    >> >> >> Co-author of "The .NET Developer's Guide to Directory Services
    >> >> >> Programming"
    >> >> >> http://www.directoryprogramming.net
    >> >> >> --
    >> >> >> "Cory J. Laidlaw, Beyond01.com"
    >> >> >> <> wrote in
    >> >> >> message
    >> >> >> news:D...
    >> >> >> > Hi there,
    >> >> >> >
    >> >> >> > I need to setup a web site that starts with a public home page.
    >> >> >> >
    >> >> >> > I would then like to have a link to a login page so I can
    >> >> >> > authenticate
    >> >> >> > them
    >> >> >> > against a database.
    >> >> >> >
    >> >> >> > When I launch my project, it starts under HTTP, which is great.
    >> >> >> > How
    >> >> >> > can
    >> >> >> > I
    >> >> >> > make sure the Login page is under HTTPS?
    >> >> >> >
    >> >> >> > Thanks for any help you can provide!
    >> >> >> >
    >> >> >> > Cory
    >> >> >>
    >> >> >>
    >> >> >>
    >> >>
    >> >>
    >> >>

    >>
    >>
    >>
    Joe Kaplan, Mar 6, 2008
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. X-Killer
    Replies:
    1
    Views:
    412
    Tampa.NET Koder
    Mar 7, 2005
  2. BizWorld
    Replies:
    6
    Views:
    4,621
  3. John Smith
    Replies:
    0
    Views:
    372
    John Smith
    Oct 5, 2006
  4. mpes

    SSL for login page only

    mpes, Mar 10, 2005, in forum: ASP .Net Security
    Replies:
    2
    Views:
    104
  5. Colin Graham

    Login to admin system through login screen only

    Colin Graham, Apr 10, 2005, in forum: ASP .Net Security
    Replies:
    1
    Views:
    235
    Joseph MCAD
    Apr 11, 2005
Loading...

Share This Page