Geek Answers Handbook

How to protect the login and zone of the participant with an SSL certificate?

Background . I have an asp.net webapplication project that should contain a public scope and a member scope. Now I want to implement SSL encryption to protect communication between the client and server. (At the university, we have an unsecured wireless network, and you can use wlan sniffer to read the username / password. I do not want to have this security problem for my application, so I thought about ssl decription)

The application runs on IIS 7.5. Is it possible to have one webapp that has unprotected pages (for example, a public zone) and a protected area (for example, a member region that requires a login)? If so, how can I release the link between these too areas?

Example : My webapp is hosted at http://foo.abc . I have pages like http://foo.abc/default.aspx and http://foo.abc/foo.aspx .

In the same project there is a page like /member/default.aspx , which is protected by a login on the page http://foo.abc/login.aspx .

Therefore, I will need to implement SSL for the /login.aspx page and all pages in /member/

How can i do this? I just found out how to create SSL certificates in IIS 7.5 and how to add such a binding to webapp. How can I say that my webpage should be called with https, not http. What is the best practice there?

+6
c # ssl
source share
3 answers

From here How to use HTTPS in ASP.Net

After you have installed / installed SSL, you want to do some redirection to the login page at https: //. then any page to which the user is sent after verification, it can simply be HTTP: .//

 Protected Sub Page_PreRender(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.PreRender If Request.IsSecureConnection = False And _ Not Request.Url.Host.Contains("localhost") Then Response.Redirect(Request.Url.AbsoluteUri.Replace("http://", "https://")) End If End Sub

It may be easier to implement on the main page or just all the pages that you require https. By checking "localhost" you will avoid getting an error in the test environment (If your test server does not have a different name than checking for this: "Mytestservername").

+3
source share

I do not work with .net, but we have websites with a similar setting, where some pages are unencrypted and served using http, and a bunch of pages are used instead of https. Here are some things we did ... hope they will be helpful.

  • You need to somehow pass the configuration to your code so that it knows the base URI of both the http and https parts. For example. if your server is foo.bar, you need your code to know that the protected pages are at https://foo.bar:xxx/ ... and the insecure pages at http://foo.bar/ ...

  • You can set up your server with some redirects to make your life easier. For example. if in your server configuration in port 80 you redirect / xxx to port 443 / xxx, then on your http pages you can simply use the source URL, for example / xxx, and not include the base URI. Conversely, you can configure port forwarding on port 443 / yyy to port 80 / yyy, and then on https pages you can just use a relative url like / yyy

  • Posting between http and https pages: you cannot redirect mail, so you need to use the base URI for the http or https pages in the form element. That is, on your http pages, if you send an https message, you need to specify the base https URI in the action attribute of the form element - this is the reason for paragraph 1 above.

  • Obviously, both your http and https code should check the cookies to determine if the user is registered, but you want the https pages to check for the presence of safe cookies - these cookies, which the browser sends only to the https connection. Your text cookies may be sniffed.

  • AJAX --- it's complicated. You cannot use cross-domain AJAX due to the Javascript security model. Thus, this means that if you are in http, you cannot use AJAX for https or vice versa; port changes are considered by the browser in different domains. There are workarounds, such as using hidden frames, etc., but these solutions are quite complex and often have security holes.

+3
source share

Just a caution, you should not use a self-signed certificate on a production site. Ideally, you should get one from a trusted certification authority (certification authority). Big names are Verisign and Thwate, but there are other, cheaper CAs.

If you use a self-signed certificate on a real site, your users will receive an ugly warning message asking you to continue.

As for redirecting users to https areas, I usually just forward pages that I want to protect (for example, if a user goes to http://domain.com/login.aspx , I immediately redirect the request to https://domain.com /login.aspx (Response.Redirect (...)), then pull them out of the secure SSL area after successful authentication.

+2
source share

More articles:


All Articles