Linking secured SSL domain with unsecure domain smoothly -- any ideas?

[Jonas Daunoravicius]

I currently have a SSL domain where the SSL cert is applied to the
whole FQDN. So, the whole domain is https://***. Also, we have
another domain that does not have SSL. Using ASP, vbscript, and html,
I'm linking certain logos and pdf files from the unsecured domain to
the secured domain.

The problem is that when a user logs in the secured site and goes to
that specific page that has the logo that is pulled from http://***,
the warning message displayed below comes up. Obviously this makes
sense, but we don't want the user to have to see the warning message
and after pressing 'Yes', have to login again in order to see the
logo.

1)In the browser under Tools>advanced, warn if changing between secure
to nonsecure --- this is unchecked already.
2)We can buy a SSL cert for the http://*** usecure site, but we don't
have that in the budget right now.
3)we can't 'unsecure' a single section of the https://*** secured
site...this would still end up doing the same thing, but just show the
message earlier.

Therefore, what can I do? Any programming and file changes that can
be done to change this? Any help is very appreciated.

------the warning message-----
Security Information:
This page contains both secure and nonsecure items, do you want to
display the nonsecure items?

 

[Curt_C [MVP]]

nope.... it's by design.

 

[Jonas Daunoravicius]

If I really can't get rid of the warning message, how do I at least
make it so that the user doesn't have to login again on the http side?

I looked at a few other postings and a few others said stuff like:

-------------------------
I concluded that an interim page was necessary, but I still got the
message when
I did a simple Response.Redirect (or any method of moving to a new
page). Then I
was trying to figure out how to code the interim page where the user
clicks a
link to get back to the non-secure page.

Actually, I managed to discover a way of doing it...turns out that if
you set the
action of the <form> tag to the full URL (including the
http://server/appname),
it redirects to the non-secure page with no questions asked.

This works for both GET and POST methods, although I don't recommend
using GET on
aspx pages...the state information in the resulting URL isn't pretty!
------------------------

and also,

------------------------
i found a workaround on deja.com

<META HTTP-EQUIV="REFRESH"
CONTENT="0;URL=http://www.yourpage.com/check.asp">
------------------------

I also earlier found a page that had ASP code that actually made it
work but now I can't find that thread posting on google.

What would you guys think is the best way to do it? And also possibly
pass in the username and password automatically so that they don't
have to again after the warning message?

- Jonas

 

[Brynn]

are the sites on the same server ... can you create a virual directory
to the images, etc...

If I really can't get rid of the warning message, how do I at least
make it so that the user doesn't have to login again on the http side?

I looked at a few other postings and a few others said stuff like:

-------------------------
I concluded that an interim page was necessary, but I still got the
message when
I did a simple Response.Redirect (or any method of moving to a new
page). Then I
was trying to figure out how to code the interim page where the user
clicks a
link to get back to the non-secure page.

Actually, I managed to discover a way of doing it...turns out that if
you set the
action of the <form> tag to the full URL (including the
http://server/appname),
it redirects to the non-secure page with no questions asked.

This works for both GET and POST methods, although I don't recommend
using GET on
aspx pages...the state information in the resulting URL isn't pretty!
------------------------

and also,

------------------------
i found a workaround on deja.com

<META HTTP-EQUIV="REFRESH"
CONTENT="0;URL=http://www.yourpage.com/check.asp">
------------------------

I also earlier found a page that had ASP code that actually made it
work but now I can't find that thread posting on google.

What would you guys think is the best way to do it? And also possibly
pass in the username and password automatically so that they don't
have to again after the warning message?

- Jonas

I participate in the group to help give examples of code. I do not guarantee the effects of any code posted. Test all code before use!

Brynn
www.coolpier.com

 

[Jonas Daunoravicius]

Yes, everything is on the same web server. We have the (1) public
domain on it, then the (2) secured domain with the SSL certificate on
it where users can login, and then a (3) sponsor domain where
companies can login, but does not have SSL. So, when the user logs
into (2), I have some pages that have articles and logos getting
pulled off of (3), so the warning message comes on and the user needs
to login again to view the logos and what not otherwise it won't come
up.

I'm not sure what how creating a virtual directory would accomplish
what I'm trying to do. At this point, I'd like to at least have it so
that the user doesn't have to login again when he goes to the page
that pulls stuff from (3). The warning message is not that big of a
deal, but it would be nice to get rid of that as well if possible.
There has to be a way to pass in the username and password since stuff
is being pulled from a different domain that requires the same
authentication?

- Jonas

 

[Jonas Daunoravicius]

Since my question went from the warning message to how to remove
multiple logins, I posted a new thread with the title:
Preventing multiple login prompts when using 2 different domains
to try and solve the problem I'm having.