Form Authentication with SSL

W

wrytat

If I use form authentication with SSL with my web application, when I access
my login page, I will go to https://www.mydomainname.com/login.aspx. After
login, say I redirect the user to afterlogin.aspx. Will my address remain as
https://www.mydomainname.com/afterlogin.aspx?

Can I explicitly redirect it to http://www.mydomainname.com/afterlogin.aspx?
Is this a good practice?

This is because my ISP requires me to put every aspx file that requires SSL
encryption in a "/secure" folder, and to access it, users have to go to
https://secure.my-ISP-domain-name.com/my-domain-name/filename.aspx. So, most
probably, I'll put my login page in that folder, while the other files, I'll
put in other folder since I only need SSL for login. Am I right?
 
B

Brock Allen

If I use form authentication with SSL with my web application, when I
access my login page, I will go to
https://www.mydomainname.com/login.aspx. After login, say I redirect
the user to afterlogin.aspx. Will my address remain as
https://www.mydomainname.com/afterlogin.aspx?
Click to expand...

Yeah, the RedirectFromLoginPage will keep the https protocol in the address.
Can I explicitly redirect it to
http://www.mydomainname.com/afterlogin.aspx? Is this a good practice?
Click to expand...

You can. Instead of FormsAuthenticaytion.RedirectFromLoginPage, just call
FormsAuthentication.SetAuthCookie and then do your own redirect. People do
this all the time to redirect based upon the specific user.
This is because my ISP requires me to put every aspx file that
requires SSL encryption in a "/secure" folder, and to access it, users
have to go to
https://secure.my-ISP-domain-name.com/my-domain-name/filename.aspx.
Click to expand...

Hmm, ok. If they say so :)
So, most probably, I'll put my login page in that folder, while the
other files, I'll put in other folder since I only need SSL for login.
Am I right?
Click to expand...

Well, the one thing to keep in mind is that once they've logged in, the cookie
sent back to the browser is what identifies the user. So if the browser is
sending cookies over a non secure channel (http vs https) then if I'm an
attacker and I'm sniffing network packats I could potentially steal the cookie
and then use it was my own. So, if your app is important then I'd make all
pages that require authentication go over https. For other pages they can
go over http but only if the browser doesn't send the cookie and this can
be requested by a web.config setting:

<forms>
requireSSL="true"
</forms>
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Integrated Authentication with SSL 6
Problem in getting dashboard page from login page in python pycharm using POST command 0
Form Authentication (redirect to https) 5
SSL Forms Authentication Redirect - Problem Redirecting out of HTTPS 4
Problem establishing SSL connection in code-behind 12
Forms Authentication and SSL 0
HTTPClient problem with SSL and ruby 1.8.7 3
CORS/Express: Getting data from server from domain html 2

Members online

No members online now.
Total: 23 (members: 0, guests: 23)
Robots: 302

Forum statistics

Threads
473,755
Messages
2,569,536
Members
45,007
Latest member
obedient dusk

Latest Threads

Top