SSL for login page only

Discussion in 'ASP .Net Security' started by mpes, Mar 10, 2005.

  1. mpes

    mpes Guest

    Hi all,

    My ASP.NET intranet web application uses windows authentication. It has to
    support both IE and Mozilla browsers so I am forced to allow Basic
    Authentication for Mozilla users. Because of some intranet configuration
    issues I cannot use the Digest Authentication.

    I would like to protect the user name/password using SSL. But for
    performance reason I want to protect just login, the rest of the
    communication shouldn't use SSL.

    What is the way of doing this? The application start page is default.aspx.

    I tried:

    1. Set "Require SSL" for default.aspx page in IIS - result is that SSL will
    then be used for all pages

    2. Hook in Global.asax Application_BeginRequest and if the request is not
    for default.aspx I rewrite "https" request to "http" - that works and
    switches the protocol, however with switching the protocol the web browser
    fires the login window again (so the user has to type in the password second
    time and this time I believe it would travel in clear text)

    Any other ideas? I searched internet quite extensively but could not find
    anything.

    Thanks,
    Martin
    mpes, Mar 10, 2005
    #1
    1. Advertising

  2. It's possible, but it's not a great idea. After a user logs in via basic
    authentication, the login credentials will be communicated to the server as
    simple base64-encoded plaintext in the HTTP headers. If you allow this
    information to travel over HTTP, it will be as susceptible to theft by an
    eavesdropper as it was at the original login.



    "mpes" <> wrote in message
    news:...
    > Hi all,
    >
    > My ASP.NET intranet web application uses windows authentication. It has to
    > support both IE and Mozilla browsers so I am forced to allow Basic
    > Authentication for Mozilla users. Because of some intranet configuration
    > issues I cannot use the Digest Authentication.
    >
    > I would like to protect the user name/password using SSL. But for
    > performance reason I want to protect just login, the rest of the
    > communication shouldn't use SSL.
    >
    > What is the way of doing this? The application start page is default.aspx.
    >
    > I tried:
    >
    > 1. Set "Require SSL" for default.aspx page in IIS - result is that SSL
    > will
    > then be used for all pages
    >
    > 2. Hook in Global.asax Application_BeginRequest and if the request is not
    > for default.aspx I rewrite "https" request to "http" - that works and
    > switches the protocol, however with switching the protocol the web browser
    > fires the login window again (so the user has to type in the password
    > second
    > time and this time I believe it would travel in clear text)
    >
    > Any other ideas? I searched internet quite extensively but could not find
    > anything.
    >
    > Thanks,
    > Martin
    >
    >
    Nicole Calinoiu, Mar 10, 2005
    #2
    1. Advertising

  3. mpes

    mpes Guest

    Thanks Nicole,

    Well I did not know that thing about credentials in HTTP headers. Of course
    in such circumstances it does not make sense to SSL encode just initial
    login. That would explain why I could not find any "How to do it" info on
    internet :)

    Thanks a lot!


    "Nicole Calinoiu" <calinoiu REMOVETHIS AT gmail DOT com> wrote in message
    news:...
    > It's possible, but it's not a great idea. After a user logs in via basic
    > authentication, the login credentials will be communicated to the server

    as
    > simple base64-encoded plaintext in the HTTP headers. If you allow this
    > information to travel over HTTP, it will be as susceptible to theft by an
    > eavesdropper as it was at the original login.
    >
    >
    >
    > "mpes" <> wrote in message
    > news:...
    > > Hi all,
    > >
    > > My ASP.NET intranet web application uses windows authentication. It has

    to
    > > support both IE and Mozilla browsers so I am forced to allow Basic
    > > Authentication for Mozilla users. Because of some intranet configuration
    > > issues I cannot use the Digest Authentication.
    > >
    > > I would like to protect the user name/password using SSL. But for
    > > performance reason I want to protect just login, the rest of the
    > > communication shouldn't use SSL.
    > >
    > > What is the way of doing this? The application start page is

    default.aspx.
    > >
    > > I tried:
    > >
    > > 1. Set "Require SSL" for default.aspx page in IIS - result is that SSL
    > > will
    > > then be used for all pages
    > >
    > > 2. Hook in Global.asax Application_BeginRequest and if the request is

    not
    > > for default.aspx I rewrite "https" request to "http" - that works and
    > > switches the protocol, however with switching the protocol the web

    browser
    > > fires the login window again (so the user has to type in the password
    > > second
    > > time and this time I believe it would travel in clear text)
    > >
    > > Any other ideas? I searched internet quite extensively but could not

    find
    > > anything.
    > >
    > > Thanks,
    > > Martin
    > >
    > >

    >
    >
    mpes, Mar 10, 2005
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. X-Killer
    Replies:
    1
    Views:
    418
    Tampa.NET Koder
    Mar 7, 2005
  2. BizWorld
    Replies:
    6
    Views:
    4,634
  3. John Smith
    Replies:
    0
    Views:
    379
    John Smith
    Oct 5, 2006
  4. Colin Graham

    Login to admin system through login screen only

    Colin Graham, Apr 10, 2005, in forum: ASP .Net Security
    Replies:
    1
    Views:
    245
    Joseph MCAD
    Apr 11, 2005
  5. Cory J. Laidlaw, Beyond01.com

    How to use SSL for login page only

    Cory J. Laidlaw, Beyond01.com, Mar 5, 2008, in forum: ASP .Net Security
    Replies:
    7
    Views:
    152
    Joe Kaplan
    Mar 6, 2008
Loading...

Share This Page