SSL for login page only

[mpes]

Hi all,

My ASP.NET intranet web application uses windows authentication. It has to
support both IE and Mozilla browsers so I am forced to allow Basic
Authentication for Mozilla users. Because of some intranet configuration
issues I cannot use the Digest Authentication.

I would like to protect the user name/password using SSL. But for
performance reason I want to protect just login, the rest of the
communication shouldn't use SSL.

What is the way of doing this? The application start page is default.aspx.

I tried:

1. Set "Require SSL" for default.aspx page in IIS - result is that SSL will
then be used for all pages

2. Hook in Global.asax Application_BeginRequest and if the request is not
for default.aspx I rewrite "https" request to "http" - that works and
switches the protocol, however with switching the protocol the web browser
fires the login window again (so the user has to type in the password second
time and this time I believe it would travel in clear text)

Any other ideas? I searched internet quite extensively but could not find
anything.

Thanks,
Martin

 

[Nicole Calinoiu]

It's possible, but it's not a great idea. After a user logs in via basic
authentication, the login credentials will be communicated to the server as
simple base64-encoded plaintext in the HTTP headers. If you allow this
information to travel over HTTP, it will be as susceptible to theft by an
eavesdropper as it was at the original login.

 

[mpes]

Thanks Nicole,

Well I did not know that thing about credentials in HTTP headers. Of course
in such circumstances it does not make sense to SSL encode just initial
login. That would explain why I could not find any "How to do it" info on
internet

Thanks a lot!