Ask a Question related to ASP.NET Security, Design and Development.
-
mpes #1
SSL for login page only
Hi all,
My ASP.NET intranet web application uses windows authentication. It has to
support both IE and Mozilla browsers so I am forced to allow Basic
Authentication for Mozilla users. Because of some intranet configuration
issues I cannot use the Digest Authentication.
I would like to protect the user name/password using SSL. But for
performance reason I want to protect just login, the rest of the
communication shouldn't use SSL.
What is the way of doing this? The application start page is default.aspx.
I tried:
1. Set "Require SSL" for default.aspx page in IIS - result is that SSL will
then be used for all pages
2. Hook in Global.asax Application_BeginRequest and if the request is not
for default.aspx I rewrite "https" request to "http" - that works and
switches the protocol, however with switching the protocol the web browser
fires the login window again (so the user has to type in the password second
time and this time I believe it would travel in clear text)
Any other ideas? I searched internet quite extensively but could not find
anything.
Thanks,
Martin
mpes Guest
-
Strange problem with Forms authentication: After successfull login, login page is still displayed
Hi there I have a quite strange problem with my ASP.NET-Application. The application has being deployed one year ago and worked fine till last... -
user and admin login on same login page
Hello, I have a user login page which also doubles as my administrator login. Currently, my method of logging in doesnt seem to be working... -
making a login page which shud lead to a https page ?
(Type your message here) making a login page which shud lead to a https page ? ne suggestions -------------------------------- From: sneha... -
How to place a Name in a index page after login page
Hello everyone. I just started to learning ColdFusion and I was wondering when someone registers and they place their first and last name and... -
my user login page is always the default page
:brokenheart; my coldfusion application has an login page, some users logged in and saved some page to favorites, then close the browser without... -
Nicole Calinoiu #2 Re: SSL for login page only
It's possible, but it's not a great idea. After a user logs in via basic
authentication, the login credentials will be communicated to the server as
simple base64-encoded plaintext in the HTTP headers. If you allow this
information to travel over HTTP, it will be as susceptible to theft by an
eavesdropper as it was at the original login.
"mpes" <mpes@community.nospam> wrote in message
news:OT5mGQVJFHA.2728@TK2MSFTNGP09.phx.gbl...> Hi all,
>
> My ASP.NET intranet web application uses windows authentication. It has to
> support both IE and Mozilla browsers so I am forced to allow Basic
> Authentication for Mozilla users. Because of some intranet configuration
> issues I cannot use the Digest Authentication.
>
> I would like to protect the user name/password using SSL. But for
> performance reason I want to protect just login, the rest of the
> communication shouldn't use SSL.
>
> What is the way of doing this? The application start page is default.aspx.
>
> I tried:
>
> 1. Set "Require SSL" for default.aspx page in IIS - result is that SSL
> will
> then be used for all pages
>
> 2. Hook in Global.asax Application_BeginRequest and if the request is not
> for default.aspx I rewrite "https" request to "http" - that works and
> switches the protocol, however with switching the protocol the web browser
> fires the login window again (so the user has to type in the password
> second
> time and this time I believe it would travel in clear text)
>
> Any other ideas? I searched internet quite extensively but could not find
> anything.
>
> Thanks,
> Martin
>
>
Nicole Calinoiu Guest
-
mpes #3 Re: SSL for login page only
Thanks Nicole,
Well I did not know that thing about credentials in HTTP headers. Of course
in such circumstances it does not make sense to SSL encode just initial
login. That would explain why I could not find any "How to do it" info on
internet :-)
Thanks a lot!
"Nicole Calinoiu" <calinoiu REMOVETHIS AT gmail DOT com> wrote in message
news:OUP24mWJFHA.3752@TK2MSFTNGP14.phx.gbl...as> It's possible, but it's not a great idea. After a user logs in via basic
> authentication, the login credentials will be communicated to the serverto> simple base64-encoded plaintext in the HTTP headers. If you allow this
> information to travel over HTTP, it will be as susceptible to theft by an
> eavesdropper as it was at the original login.
>
>
>
> "mpes" <mpes@community.nospam> wrote in message
> news:OT5mGQVJFHA.2728@TK2MSFTNGP09.phx.gbl...> > Hi all,
> >
> > My ASP.NET intranet web application uses windows authentication. It hasdefault.aspx.> > support both IE and Mozilla browsers so I am forced to allow Basic
> > Authentication for Mozilla users. Because of some intranet configuration
> > issues I cannot use the Digest Authentication.
> >
> > I would like to protect the user name/password using SSL. But for
> > performance reason I want to protect just login, the rest of the
> > communication shouldn't use SSL.
> >
> > What is the way of doing this? The application start page isnot> >
> > I tried:
> >
> > 1. Set "Require SSL" for default.aspx page in IIS - result is that SSL
> > will
> > then be used for all pages
> >
> > 2. Hook in Global.asax Application_BeginRequest and if the request isbrowser> > for default.aspx I rewrite "https" request to "http" - that works and
> > switches the protocol, however with switching the protocol the webfind> > fires the login window again (so the user has to type in the password
> > second
> > time and this time I believe it would travel in clear text)
> >
> > Any other ideas? I searched internet quite extensively but could not>> > anything.
> >
> > Thanks,
> > Martin
> >
> >
>
mpes Guest
Reply With QuoteSimilar Questions and Discussions
Posting Permissions
- You may not post new threads
- You may post replies
- You may not post attachments
- You may not edit your posts
