C
CW
I have run into a lot problems with SSL, and would appreciate some clear
explanations:
(1) Non-SSL links within SSL pages:
In one of my earlier posts, I was having problems with links that should not
have https schemes when links are embedded in an SSL enforced page. One way
was to use absolute URL - which is a deployment nightmare. The other
alternative is to use SSL within the whole site structure - which I
understand would unnecessarily burden the server. Another method was to turn
all links into server controls and then change the scheme in page load
event. None of the methods seem to be an ideal solution.
I did find a solution - by combining code behind and non-code behind <% %>
block for the same webform. In the SSL enabled webforms, any
href="relative.aspx" would be replaced by href='<"http" &
%=reformatfunction("relative.aspx")%>' where reformatfunction would take a
relative url and turn into a full url, and then strips away its https
scheme. In this scenario, my code behind run its normal code without getting
cluttered with a bunch of code just to reformat link hrefs.
(2) Are cookies and authentication tickets preserved across SSL and non-SSL
call boundaries?
I read somewhere that if I go from
https://someserver/somevirtualdr/SSLPage.aspx to
http://someserver/somevirtualdr/NonSSLPage.aspx, (or vice versa) any
response cookies would not be available to one another (i.e., response
cookies set in https page would not be visibel to the http page or vice
versa). This is apparently due to the security model preventing cross domain
scripting. However, in my code, my non-SSL page can access cookies set in
SSL pages and vice versa without any problem. Is this because of a bug in IE
(in which case, I obviously wouldn't want to rely on) or the cross site
scripting issues are totoally unrelated to SSL/non-SSL pages within the same
web application?
(3) On a related note, because I roll my own security using
FormsAuthentication and the authentication ticket, does authentication
ticket gets abandoned across https and http boundary? My whole objective is
to use https only for sign-on/sign-off/recording sensitive informations and
nothing else. In my code, authentication ticket gets passed without any
problem from https to non-https page. Again, I want to confirm this is by
design, not due to any bugs in IE.
Further to the above question, because I use
FormsAuthentication.RedirectFromLoginPage, after signing in (using SSL),
users get redirected to the default.aspx (if ReturnURL is nothing). When
this happens, default.aspx is loaded with SSL (i.e., using https: rather
than http). Is there anyway to prevent the use of SSL on the default page
after the RedirectFromLoginPage method? It's not a big issue, other than
being annoyingly inconsistent.
(4) Netscape 4 has problems with my self-signed SSL certificate?
I use self-signing utility that comes with IIS 6 resource kit to test SSL on
my dev box. When I attempt to connect from a netscape 4 browser, I get "The
security library has encountered an improperly formatted DER-encoded
message" error. Any idea whether it's a problem due to self-signed SSL
certificate or ASP.net/IIS can't handle netscape 4 client using SSL?
(5) Again related to Netscape, has anyone had major issues with Netscape? I
have run into all sorts of problems trying to display pages correctly on NS
6 (kind of reminds of the days when Java was promising write once and run
anywhere when it turned out to be write once and debug everywhere). In
particular, I have problems with header (which are embedded as ascx files in
each and every one of my aspx page). NS 6 sometimes displays the header
correctly (well, formatting is not so great, but at least all the elements
are there), and other times, would miss major elements (such as the image of
a href link). Another really annoying problem is that when I send contents
of file to the NS 6 browser, the save as/open window does open. However,
choosing save as produces no response at all (i.e., file chooser doesn't
come up). Another problem is that NS 4 sometimes hangs with reading file on
the status bar showing. I can't figure out why it hangs. I traced the code
in the page load event without any problem. It hangs after the code exits
the Page_Load event.
All helps are appreciated.
explanations:
(1) Non-SSL links within SSL pages:
In one of my earlier posts, I was having problems with links that should not
have https schemes when links are embedded in an SSL enforced page. One way
was to use absolute URL - which is a deployment nightmare. The other
alternative is to use SSL within the whole site structure - which I
understand would unnecessarily burden the server. Another method was to turn
all links into server controls and then change the scheme in page load
event. None of the methods seem to be an ideal solution.
I did find a solution - by combining code behind and non-code behind <% %>
block for the same webform. In the SSL enabled webforms, any
href="relative.aspx" would be replaced by href='<"http" &
%=reformatfunction("relative.aspx")%>' where reformatfunction would take a
relative url and turn into a full url, and then strips away its https
scheme. In this scenario, my code behind run its normal code without getting
cluttered with a bunch of code just to reformat link hrefs.
(2) Are cookies and authentication tickets preserved across SSL and non-SSL
call boundaries?
I read somewhere that if I go from
https://someserver/somevirtualdr/SSLPage.aspx to
http://someserver/somevirtualdr/NonSSLPage.aspx, (or vice versa) any
response cookies would not be available to one another (i.e., response
cookies set in https page would not be visibel to the http page or vice
versa). This is apparently due to the security model preventing cross domain
scripting. However, in my code, my non-SSL page can access cookies set in
SSL pages and vice versa without any problem. Is this because of a bug in IE
(in which case, I obviously wouldn't want to rely on) or the cross site
scripting issues are totoally unrelated to SSL/non-SSL pages within the same
web application?
(3) On a related note, because I roll my own security using
FormsAuthentication and the authentication ticket, does authentication
ticket gets abandoned across https and http boundary? My whole objective is
to use https only for sign-on/sign-off/recording sensitive informations and
nothing else. In my code, authentication ticket gets passed without any
problem from https to non-https page. Again, I want to confirm this is by
design, not due to any bugs in IE.
Further to the above question, because I use
FormsAuthentication.RedirectFromLoginPage, after signing in (using SSL),
users get redirected to the default.aspx (if ReturnURL is nothing). When
this happens, default.aspx is loaded with SSL (i.e., using https: rather
than http). Is there anyway to prevent the use of SSL on the default page
after the RedirectFromLoginPage method? It's not a big issue, other than
being annoyingly inconsistent.
(4) Netscape 4 has problems with my self-signed SSL certificate?
I use self-signing utility that comes with IIS 6 resource kit to test SSL on
my dev box. When I attempt to connect from a netscape 4 browser, I get "The
security library has encountered an improperly formatted DER-encoded
message" error. Any idea whether it's a problem due to self-signed SSL
certificate or ASP.net/IIS can't handle netscape 4 client using SSL?
(5) Again related to Netscape, has anyone had major issues with Netscape? I
have run into all sorts of problems trying to display pages correctly on NS
6 (kind of reminds of the days when Java was promising write once and run
anywhere when it turned out to be write once and debug everywhere). In
particular, I have problems with header (which are embedded as ascx files in
each and every one of my aspx page). NS 6 sometimes displays the header
correctly (well, formatting is not so great, but at least all the elements
are there), and other times, would miss major elements (such as the image of
a href link). Another really annoying problem is that when I send contents
of file to the NS 6 browser, the save as/open window does open. However,
choosing save as produces no response at all (i.e., file chooser doesn't
come up). Another problem is that NS 4 sometimes hangs with reading file on
the status bar showing. I can't figure out why it hangs. I traced the code
in the page load event without any problem. It hangs after the code exits
the Page_Load event.
All helps are appreciated.