ASP.NET and SSL question

Hi,
I have an ASP.NET 2.0 application with an ASP.NET login control in the
master page. The user can only access the home page without logging in, all
the other pages require authentication. Once the user has logged in the
login control is hidden.

To secure the users name and password does this mean my entire web site
should use SSL or can I get away with just using SSL on the home page where
they login?

Please feel free to ask for more information.
Thanks
Steve

Re: ASP.NET and SSL question

My understanding is that the scope of using SSL is one http request. So if
you navigate from the home page to other pages with https://..., you will
use SSL. If you do with http, you won't.

I am not sure though if you will remain in the same application as you
switch from http to https. Give it a try and see if the user remains
authenticated.

--
Eliyahu Goldin,
Software Developer
Microsoft MVP [ASP.NET]
http://msmvps.com/blogs/egoldin
http://usableasp.net


"Steve S" wrote in message
news:9D1D406B-6731-4908-9B55-1758BD956487@microsoft.com...
> Hi,
> I have an ASP.NET 2.0 application with an ASP.NET login control in the
> master page. The user can only access the home page without logging in,
> all the other pages require authentication. Once the user has logged in
> the login control is hidden.
>
> To secure the users name and password does this mean my entire web site
> should use SSL or can I get away with just using SSL on the home page
> where they login?
>
> Please feel free to ask for more information.
> Thanks
> Steve
>
>
>
>
>

Re: ASP.NET and SSL question

Hi Eliyahu,
Thanks for the reply. I will test this out but I'm not at that stage, I'm
trying to get a heads up and work out the best way to approach this.

I've seen websites where you login under http you are then redirected to a
https page for authentication and then you can access the rest of the web
site under http for example www.king.com. I'm wondering if I could do
something similar in ASP.NET.

Cheers
Steve
"Eliyahu Goldin" wrote in
message news:OPzAaZqUIHA.4532@TK2MSFTNGP02.phx.gbl...
> My understanding is that the scope of using SSL is one http request. So if
> you navigate from the home page to other pages with https://..., you will
> use SSL. If you do with http, you won't.
>
> I am not sure though if you will remain in the same application as you
> switch from http to https. Give it a try and see if the user remains
> authenticated.
>
> --
> Eliyahu Goldin,
> Software Developer
> Microsoft MVP [ASP.NET]
> http://msmvps.com/blogs/egoldin
> http://usableasp.net
>
>
> "Steve S" wrote in message
> news:9D1D406B-6731-4908-9B55-1758BD956487@microsoft.com...
>> Hi,
>> I have an ASP.NET 2.0 application with an ASP.NET login control in the
>> master page. The user can only access the home page without logging in,
>> all the other pages require authentication. Once the user has logged in
>> the login control is hidden.
>>
>> To secure the users name and password does this mean my entire web site
>> should use SSL or can I get away with just using SSL on the home page
>> where they login?
>>
>> Please feel free to ask for more information.
>> Thanks
>> Steve
>>
>>
>>
>>
>>
>
>

Re: ASP.NET and SSL question

From my experience the user still remains authenticated as long as the forms
authentication cookie is not marked as a secure cookie. Best I can
remember the forms authentication cookie is not marked as secure by default.

"Eliyahu Goldin" wrote in
message news:OPzAaZqUIHA.4532@TK2MSFTNGP02.phx.gbl...
> My understanding is that the scope of using SSL is one http request. So if
> you navigate from the home page to other pages with https://..., you will
> use SSL. If you do with http, you won't.
>
> I am not sure though if you will remain in the same application as you
> switch from http to https. Give it a try and see if the user remains
> authenticated.
>
> --
> Eliyahu Goldin,
> Software Developer
> Microsoft MVP [ASP.NET]
> http://msmvps.com/blogs/egoldin
> http://usableasp.net
>
>
> "Steve S" wrote in message
> news:9D1D406B-6731-4908-9B55-1758BD956487@microsoft.com...
>> Hi,
>> I have an ASP.NET 2.0 application with an ASP.NET login control in the
>> master page. The user can only access the home page without logging in,
>> all the other pages require authentication. Once the user has logged in
>> the login control is hidden.
>>
>> To secure the users name and password does this mean my entire web site
>> should use SSL or can I get away with just using SSL on the home page
>> where they login?
>>
>> Please feel free to ask for more information.
>> Thanks
>> Steve
>>
>>
>>
>>
>>
>
>

Re: ASP.NET and SSL question

It all depends.

Just to secure user name and password all you need is an https on the page
that actually transmits user name and password (home page in your case).

the rest of the site might not use SSL.
SSL only protects information passed between browser and server. So on any
given page you might need to make an assessment if that page has information
that needs to be encrypted by SSL or not. If not then you use http.

There is another side called User experience. Regular users know little
about SSL and how it works.
So they can freak out if they do not see that "lock" icon in the browser. So
very often you need to make the whole section of the site to be using SSL.
Like on my E-commerce site if you go to Checkout then even page where you
chose your shipping method is using SSL. Simply because I will hard time to
explain (hence lost sales) that no one cares if that user wants to ship it
with UPS or FedEx

George.


"Steve S" wrote in message
news:9D1D406B-6731-4908-9B55-1758BD956487@microsoft.com...
> Hi,
> I have an ASP.NET 2.0 application with an ASP.NET login control in the
> master page. The user can only access the home page without logging in,
> all the other pages require authentication. Once the user has logged in
> the login control is hidden.
>
> To secure the users name and password does this mean my entire web site
> should use SSL or can I get away with just using SSL on the home page
> where they login?
>
> Please feel free to ask for more information.
> Thanks
> Steve
>
>
>
>
>

Re: ASP.NET and SSL question

Hi George,
Thanks for the email, exactly what I was looking for.
Steve
"George Ter-Saakov" wrote in message
news:ed78UO5UIHA.5300@TK2MSFTNGP03.phx.gbl...
> It all depends.
>
> Just to secure user name and password all you need is an https on the page
> that actually transmits user name and password (home page in your case).
>
> the rest of the site might not use SSL.
> SSL only protects information passed between browser and server. So on any
> given page you might need to make an assessment if that page has
> information that needs to be encrypted by SSL or not. If not then you use
> http.
>
> There is another side called User experience. Regular users know little
> about SSL and how it works.
> So they can freak out if they do not see that "lock" icon in the browser.
> So very often you need to make the whole section of the site to be using
> SSL.
> Like on my E-commerce site if you go to Checkout then even page where you
> chose your shipping method is using SSL. Simply because I will hard time
> to explain (hence lost sales) that no one cares if that user wants to ship
> it with UPS or FedEx
>
> George.
>
>
> "Steve S" wrote in message
> news:9D1D406B-6731-4908-9B55-1758BD956487@microsoft.com...
>> Hi,
>> I have an ASP.NET 2.0 application with an ASP.NET login control in the
>> master page. The user can only access the home page without logging in,
>> all the other pages require authentication. Once the user has logged in
>> the login control is hidden.
>>
>> To secure the users name and password does this mean my entire web site
>> should use SSL or can I get away with just using SSL on the home page
>> where they login?
>>
>> Please feel free to ask for more information.
>> Thanks
>> Steve
>>
>>
>>
>>
>>
>
>