Ask a Question related to ASP.NET Security, Design and Development.
-
wrytat #1
Form Authentication with SSL
If I use form authentication with SSL with my web application, when I access
my login page, I will go to [url]https://www.mydomainname.com/login.aspx[/url]. After
login, say I redirect the user to afterlogin.aspx. Will my address remain as
[url]https://www.mydomainname.com/afterlogin.aspx?[/url]
Can I explicitly redirect it to [url]http://www.mydomainname.com/afterlogin.aspx?[/url]
Is this a good practice?
This is because my ISP requires me to put every aspx file that requires SSL
encryption in a "/secure" folder, and to access it, users have to go to
[url]https://secure.my-ISP-domain-name.com/my-domain-name/filename.aspx[/url]. So, most
probably, I'll put my login page in that folder, while the other files, I'll
put in other folder since I only need SSL for login. Am I right?
wrytat Guest
-
Form Authentication Ticket
I've read some books and online articles on how to implement form authentication. Some taught me just to do... -
Form Authentication
Hello everyone, I have found a problem with form authentication method that I can't solve. The problem is: I want to use a form authentication... -
authenticate win32 form client with form based authentication web services
(Type your message here) -------------------------------- From: kitchai yong Hi, Can you tell me how i authenticate the win32 form client... -
Problems with form authentication
I'm experiencing some problems with role-based forms authentication accross domain. I wanted to create an unique login page for multiple web server... -
Uses ASP.NET form authentication across projects?
Basically this needs to be done so that: a) synchronize <machineKey> elements in web.config for all applications b) synchronize <authentication>... -
Brock Allen #2 Re: Form Authentication with SSL
> If I use form authentication with SSL with my web application, when I
Yeah, the RedirectFromLoginPage will keep the https protocol in the address.> access my login page, I will go to
> [url]https://www.mydomainname.com/login.aspx[/url]. After login, say I redirect
> the user to afterlogin.aspx. Will my address remain as
> [url]https://www.mydomainname.com/afterlogin.aspx?[/url]
You can. Instead of FormsAuthenticaytion.RedirectFromLoginPage, just call> Can I explicitly redirect it to
> [url]http://www.mydomainname.com/afterlogin.aspx?[/url] Is this a good practice?
FormsAuthentication.SetAuthCookie and then do your own redirect. People do
this all the time to redirect based upon the specific user.
Hmm, ok. If they say so :)> This is because my ISP requires me to put every aspx file that
> requires SSL encryption in a "/secure" folder, and to access it, users
> have to go to
> [url]https://secure.my-ISP-domain-name.com/my-domain-name/filename.aspx[/url].
Well, the one thing to keep in mind is that once they've logged in, the cookie> So, most probably, I'll put my login page in that folder, while the
> other files, I'll put in other folder since I only need SSL for login.
> Am I right?
sent back to the browser is what identifies the user. So if the browser is
sending cookies over a non secure channel (http vs https) then if I'm an
attacker and I'm sniffing network packats I could potentially steal the cookie
and then use it was my own. So, if your app is important then I'd make all
pages that require authentication go over https. For other pages they can
go over http but only if the browser doesn't send the cookie and this can
be requested by a web.config setting:
<forms>
requireSSL="true"
</forms>
-Brock
DevelopMentor
[url]http://staff.develop.com/ballen[/url]
Brock Allen Guest
Reply With QuoteSimilar Questions and Discussions
Posting Permissions
- You may not post new threads
- You may post replies
- You may not post attachments
- You may not edit your posts
