How to Use SSL only for Login.aspx page

B

BizWorld

Hi,

I have a scenario where i need to configure only Login.aspx page to use
SSL. All other application will run on HTTP protocol. If someone can
guide me how to accomplish this. One of my idea is to keep login.aspx
page in a seperate Virtual director and apply SSL only on that
directory but i dont know if it will have an impact on session (may be
it will create two sessions due to two different virtual directories).
If some one can guide me what is best practice to accomplish it.

Regards,

BizWorld
 
R

Rabbit

Hi, momo

I'm trying to do exact the same thing, but if I used response.redirect
method, the session value got lost, such that
HTTP//www.YourWebsite.com/Whereever.aspx will not be able to let the
authorized user to access it

Is it possible to bring the session variable across from https to http? or
any suggestion to resolve this issue?

Keith
 
M

momo

Hello Keith,

I would suggest passing the session to a hidden textbox and then retrieve it
from the unsecured page. This way no one can see the session value. It will
take two steps to do this.

When your login page authenticates a user you have to take them to another
secure page or you could use the same one. But in the page you will have a
form with a hidden textbox and a button that ask the user to click to
proceed, this button will then redirect then to the unsecure page. Then on
the unsecured page retrieve the hidden textbox value and put it into a
session and off you go.

Good luck

Momo
 
R

Rabbit

Hi, momo

I'm sorry to bother you again, I have tried different ways to get the value
of the source page(such as request.form("hiddenLogin")), I still cannot
retrieve the hidden textbox value from the secure page, in fact seems to me
using redirect method will lost values of all controls. As I can use
querystring to passed the authenticated info. Can you tell me how can you
implement this?

Thanks in advance!
Keith
 
M

momo

Rabbit,

I would not recommend passing the session info in your URL because that
would defeat the purpose of logging in. All someone would need to know is
the link and they can bypass the login page. As for why it does not work I
don't know. But I found something that might help. Try it and if it work
reply back to me and them to the post.

Here you go.

###########################################
a.. A52: At first, you should know, that if you share an unsecured session
with a secure session, you void the security of the https session, since a
network sniffer, could retrieve the cookie and use identity theft on the
https session!
However, we have made ISP Session as safe as possible for you
The steps to follow to share a session and to fix the security hole you
create by sharing a http session with https.

a.. In global.asa set Application("CookieNoSSL") = True.
b.. Just before you redirect to https set Session.ReEntrance = True, this
allows a browser to continue a session while the hostname or even the
complete URL changes.
c.. At the redirected page, you disable ReEntrance again by
Session.ReEntrance = False. If you go back to http, you should repeat the
same trick.
d.. To fix the security hole of sharing secure between unsecure (and vice
versa) you should set Session.LiquidCookie = True in Session_OnStart.
Note that you should thoroughly test your site after setting this option.
LiquidCookies causes a session key to be valid for just one page request,
after that request, a new key is automatically generated and established
with your browser! So if a browser misses just one request, the session is
lost.
#########################################
Good luck.

Momo.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top