Pros and cons for using https on a logon page?


Randall Parker

1) What sorts of scenarios make the possibility of sniffing out a password a higher risk?

2) Do packets travel unencrypted over 802.11 wireless? Is it easy to sniff such
packets and catch a submit of a logon web page using http? Wireless strikes me as the
greatest risk.

3) Have you used http or https for Logon.aspx pages and why?

4) Anyone know if IIS on Windows Server 2003 has https built in? Easy or hard to

5) If one uses https does one have to do any different code in the CodeBehind for the
web page? Or is that all handled in the IIS configuration and Web.config?

6) How does one redirect from an https logon back to the http page the user logged in
on? Does the http part show up in the RETURNURL argument?


Hi Randall,

I'd recommend reading this article regarding switching betweeen HTTP
and HTTPS automatically:

You can install the free SelfSSL as part of the IIS resource kit. Users
will get a warning that your certificate is not trusted, but the
connection will be encrypted:

RapidSSL has pretty cheap trusted SSL certificates:

Regarding your questions:

1. if someone can see a packet going to your server, they can see the
password if not using SSL.

2. if using encrypted wireless, then no. But the leg of the trip that
does not go over encrypted wireless will not be encrypted.

3. yes. to increase user trust, and to prevent packet sniffing

4. IIS supports SSL, but you need an SSL certificate.

5. you won't need to change any code. you can enforce SSL using IIS

6. see the first link



Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Latest member

Latest Threads