Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Forms Authentication and SSL

Reply
Thread Tools

Forms Authentication and SSL

 
 
Michael Tissington
Guest
Posts: n/a
 
      10-21-2003
I'm using Forms Authentication, the user may come from a HTTP page, the
login page is using SSL, so after logging in the user will be redirected
back to a non SSL page.

This used to work without any warnings. Suddenly after entering the login
information IE is warning the user that they are being redirected to a non
secure page.

What is causing this?

If I change the login page to non ssl (just HTTP) then I don't get the
problem.

How can I use SSL for the login page and not prompt the user when they are
being redirected?

Thanks.

--
Michael Tissington
http://www.tabtag.com
http://www.oaklodge.com



 
Reply With Quote
 
 
 
 
Jacob Yang [MSFT]
Guest
Posts: n/a
 
      10-22-2003
Hi Michael,

From security consideration, IE will prompt us this security alert either
when we enter into a secure website from a non-secure one, or vice versa.
To my knowledge, we cannot dismiss this alert, unless we check the "In the
future, do not show this warning" checkbox.

This security alert is very useful in the case if we want to send out our
secret information, such as credit account number, password, over internet.
With this alert, we should be notified whether the web site we are
communicating is a real secure or valid web site before sending out the
secret information. Without this security alert, we have no sense whether
the web site is secure.

Does it answer your question? If I have misunderstood your concern, please
feel free to let me know.

Best regards,

Jacob Yang
Microsoft Online Partner Support
Get Secure! ĘC www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.

 
Reply With Quote
 
 
 
 
Michael Tissington
Guest
Posts: n/a
 
      10-22-2003
Jacob,

Yes, it partly answers my question.

The other aspect of this is how do I use forms authentication with SSL

Consider the following

1) User views a non SSL page
2) Clicks on a link which requires forms authentication
3) Web.config points to a https page for the login information
4) Using SSL the login information is collected
5) How then does the redirection back to the refering page work?
is it SSL or the original protocol - can it be specified?

Basically we are are just wanting to collect the user information using SSL
and then return to the protocol that was using when the user clicked on the
link (which may or may not be https)

Thanks.

--
Michael Tissington
http://www.tabtag.com
http://www.oaklodge.com


"Jacob Yang [MSFT]" <(E-Mail Removed)> wrote in message
news:TF$(E-Mail Removed)...
> Hi Michael,
>
> From security consideration, IE will prompt us this security alert either
> when we enter into a secure website from a non-secure one, or vice versa.
> To my knowledge, we cannot dismiss this alert, unless we check the "In the
> future, do not show this warning" checkbox.
>
> This security alert is very useful in the case if we want to send out our
> secret information, such as credit account number, password, over

internet.
> With this alert, we should be notified whether the web site we are
> communicating is a real secure or valid web site before sending out the
> secret information. Without this security alert, we have no sense whether
> the web site is secure.
>
> Does it answer your question? If I have misunderstood your concern, please
> feel free to let me know.
>
> Best regards,
>
> Jacob Yang
> Microsoft Online Partner Support
> Get Secure! ĘC www.microsoft.com/security
> This posting is provided "as is" with no warranties and confers no rights.
>



 
Reply With Quote
 
MSFT
Guest
Posts: n/a
 
      10-23-2003
Hi Michael,

Is the login form (SSL required) in the same web application or virtual
folder?

With FormsAuthentication.RedirectFromLoginPage method, we can't specufy the
protocol or get the source protocol from From FormsAuthentication object.

Luke
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Best practices for using forms authentication and security in a hosted env (was: Re: Using a Forms authentication in a shared hosting environment) JEFF ASP .Net 1 11-12-2007 07:00 PM
forms authentication -- expired forms cookie vs. not provided forms cookie Eric ASP .Net Security 2 01-27-2006 10:09 PM
Forms Authentication question: How to have some pages open and some requiring forms authentication Eric ASP .Net 2 02-13-2004 02:14 PM
Strange behavior using SSL and "FORMS" authentication. =?Utf-8?B?Z21hcnF1ZXo=?= ASP .Net 3 01-06-2004 08:57 PM
Forms Authentication and SSL Marco Roello ASP .Net Security 0 07-15-2003 07:54 AM



Advertisments