Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   ASP .Net Security (http://www.velocityreviews.com/forums/f62-asp-net-security.html)
-   -   Forms Authentication and SSL (http://www.velocityreviews.com/forums/t765260-forms-authentication-and-ssl.html)

Michael Tissington 10-21-2003 05:10 PM

Forms Authentication and SSL
 
I'm using Forms Authentication, the user may come from a HTTP page, the
login page is using SSL, so after logging in the user will be redirected
back to a non SSL page.

This used to work without any warnings. Suddenly after entering the login
information IE is warning the user that they are being redirected to a non
secure page.

What is causing this?

If I change the login page to non ssl (just HTTP) then I don't get the
problem.

How can I use SSL for the login page and not prompt the user when they are
being redirected?

Thanks.

--
Michael Tissington
http://www.tabtag.com
http://www.oaklodge.com




Jacob Yang [MSFT] 10-22-2003 07:36 AM

RE: Forms Authentication and SSL
 
Hi Michael,

From security consideration, IE will prompt us this security alert either
when we enter into a secure website from a non-secure one, or vice versa.
To my knowledge, we cannot dismiss this alert, unless we check the "In the
future, do not show this warning" checkbox.

This security alert is very useful in the case if we want to send out our
secret information, such as credit account number, password, over internet.
With this alert, we should be notified whether the web site we are
communicating is a real secure or valid web site before sending out the
secret information. Without this security alert, we have no sense whether
the web site is secure.

Does it answer your question? If I have misunderstood your concern, please
feel free to let me know.

Best regards,

Jacob Yang
Microsoft Online Partner Support
Get Secure! ĘC www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.


Michael Tissington 10-22-2003 03:24 PM

Re: Forms Authentication and SSL
 
Jacob,

Yes, it partly answers my question.

The other aspect of this is how do I use forms authentication with SSL

Consider the following

1) User views a non SSL page
2) Clicks on a link which requires forms authentication
3) Web.config points to a https page for the login information
4) Using SSL the login information is collected
5) How then does the redirection back to the refering page work?
is it SSL or the original protocol - can it be specified?

Basically we are are just wanting to collect the user information using SSL
and then return to the protocol that was using when the user clicked on the
link (which may or may not be https)

Thanks.

--
Michael Tissington
http://www.tabtag.com
http://www.oaklodge.com


"Jacob Yang [MSFT]" <jiany@online.microsoft.com> wrote in message
news:TF$S48GmDHA.576@cpmsftngxa06.phx.gbl...
> Hi Michael,
>
> From security consideration, IE will prompt us this security alert either
> when we enter into a secure website from a non-secure one, or vice versa.
> To my knowledge, we cannot dismiss this alert, unless we check the "In the
> future, do not show this warning" checkbox.
>
> This security alert is very useful in the case if we want to send out our
> secret information, such as credit account number, password, over

internet.
> With this alert, we should be notified whether the web site we are
> communicating is a real secure or valid web site before sending out the
> secret information. Without this security alert, we have no sense whether
> the web site is secure.
>
> Does it answer your question? If I have misunderstood your concern, please
> feel free to let me know.
>
> Best regards,
>
> Jacob Yang
> Microsoft Online Partner Support
> Get Secure! ĘC www.microsoft.com/security
> This posting is provided "as is" with no warranties and confers no rights.
>




MSFT 10-23-2003 11:05 AM

Re: Forms Authentication and SSL
 
Hi Michael,

Is the login form (SSL required) in the same web application or virtual
folder?

With FormsAuthentication.RedirectFromLoginPage method, we can't specufy the
protocol or get the source protocol from From FormsAuthentication object.

Luke
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)



All times are GMT. The time now is 06:43 AM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.