Solved

Using SSL on a webserver

Posted on 2001-06-12
18
505 Views
Last Modified: 2013-11-29
I want to use SSL in my application 's sensitive pages (e.g login page)
That mean SSL will be used when user is login, once login is completed, it will be redirect to another page which do not need SSL.
However, I found that during such Response.Redirect from a https to http, a security alert always popup and tell "You are about to be redirected to a connection that is not secure...."
How can I avoid this? as I feel it is very annoying to user. I don't want to use https for the whole application as it will slow down the performance.

The directory structure is defined as below:
https//www.mysite.com/weblogon/logon.asp (login page with ssl)
http://www.mysite.com/application/default.asp (my application)

Thx.
0
Comment
Question by:LCP
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 6
  • 4
  • +2
18 Comments
 
LVL 2

Accepted Solution

by:
ZhongYu earned 100 total points
ID: 6184568
The feature is because of the browser configuration.

Goto menu:   Tool/Internet Options/Advanced/
uncheck "Warn if changing between secure and not secure mode"

0
 
LVL 1

Author Comment

by:LCP
ID: 6184643
I have try to uncheck this setting already but it is still doesn't work.
0
 
LVL 2

Expert Comment

by:ZhongYu
ID: 6184668
Then redirect is the problem. You may not be able to avoid it. Could you consider redirect to a secure page and after that using unsecure pages? The performance costs of using secure page is not high, redirect is much higher. If you use IIS 5, consider using transfer.  
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 20

Expert Comment

by:Silvers5
ID: 6184677
This is a client side feture, you can't controle it from your side.. the user must lower his security warnings also from the security tab.. or preferences in Netscape..
0
 
LVL 1

Author Comment

by:LCP
ID: 6185687
I have tried to lower the security setting in IE, but it still popup.
If I put a http link <A> on the HTTPS page, there is no problem of redirection.
If I use Refresh Header in the page, it is also no problem.

The problem just appear in Response.Redirect. If this cannot be solve, I can only make all of page redirection of https to http using the Refresh Header only.

I am using IE5.5 with SP1
0
 
LVL 2

Expert Comment

by:ZhongYu
ID: 6185722
If you understand how redirect work, you can easily guess why it can cause problem.

When your asp run response.redirect, it clears the buffer (thats why you cannot redirect after sending anything to the client) and send a http header stating that the page has been moved and it should get the new page at the new address you want to redirect to. Then the browser try again to get the new page.

So every redirect cause en extra call. Besides, some proxy server will try to interprete the header and react according to it and result is that the application based on redirect will not work.

0
 
LVL 20

Expert Comment

by:Silvers5
ID: 6185763
use server.transfer instead if you are using IIS5
0
 

Expert Comment

by:Antonio_99
ID: 6185884
Another Question as I am going to be Diving into makeing a page that takes credit cards soon. For SSL do you have to have a verisign.com approve your auth for SSL to work? or is that only for a good mind for your customers?
0
 
LVL 2

Expert Comment

by:ZhongYu
ID: 6185910

Your customer must trust the issuer of your server certificate. Verisign CA certificates are always installed on the client computer, so there will be no problem and security warning. If you issue your own server certificate, the first thing the client to do is to install your CA certificate. Not everyone will do that, those try not always succeed.
0
 
LVL 20

Expert Comment

by:Silvers5
ID: 6186005
if you won't get a key, the users will see a prompt that your site can't be trusted..
0
 
LVL 1

Author Comment

by:LCP
ID: 6187116
we can't use server.transfer to run a full path.
e.g. Server.Transfer "http://www.mysite.com/application/default.asp

Server.Transer only support relative path and also no querystring can be supplied. Also, the URL display in location bar will be the original page that call Server.Transfer, not the page redirected because it doesn't tell the browser that page have transfered and therefore it will cause the page flow control problem.

If you want to run from a secure page (https) page to a non-secure page (http), u need to specify the protocol to be used (http://), and that's why Server.transfer cannot be used in this case. Unless, all pages are running under https, but it is not the solution that I want. It is because I just want the login page use HTTPS. When user submit the userid and password, after verification, I will redirect to my application main page with HTTP only. Just that simple.
0
 
LVL 1

Author Comment

by:LCP
ID: 6187118

For SSL, u need to apply a server certificate from one of the CA like verisign. If u are using the CA which is very common, I think you don't need to worry about it as most browser will trust that CA by default. However, if my question can't be solve, then I think u need to use SSL for your whole application. Otherwise, the User will will ignoring to ans Yes everytime when u redirect the page..

Corrent me if I am wrong.

Thx.
0
 
LVL 20

Expert Comment

by:Silvers5
ID: 6189801
Yes.. Lots of users disable the prompts BTW by clicking do not show this warning..
0
 
LVL 1

Author Comment

by:LCP
ID: 6193593
yes. but the prompt that can disable is :
"You are about to leave a secure Internet connection. It will be possible for others to view information you send.
Do you want to continue?" also there is a checkbox and ask whether you want to show this warning in the future.

I have disable this warning in the tools -> internet options.

but still show the prompt "You are about to be redirected to a connection that is not secure...."

It is two different prompt but the meaning is similar.
Btw, anyway have experience surf a site that got secure and non-secure connection at the same time?
0
 
LVL 20

Expert Comment

by:Silvers5
ID: 6194117
Again..it's a client side issue.. set for security reason, suppose you are entering your credit card info on a site and some hacker hacked the site and redirected submission links to his site! so you see..
0
 
LVL 1

Author Comment

by:LCP
ID: 6203124
ok... but how do people do usually when they got some pages use SSL only? I often hear people said they just set some pages of their site use SSL (e.g login, credit card input), and others use http only. It seems that seldom people raise up such question and that's why I suspected that I got some wrong step.
They don't use redirect?
0
 
LVL 20

Expert Comment

by:Silvers5
ID: 6205341
yes.. I'll post you some info:

SSL - Secure Socket Layer is a connection that is made on port 443 ,

the connection is Cyphered (encrypted) based on the browser encryption

capabilities (up to 128 bit) usually the HTTP connection is made on

port 80 and the data is transmitted as plain text thus rendering

sensible info vulnerable.. you should setup SSL in IIS settings for the

site, you set the SSL port to 443 in the Web Site tab, clicking on the

advanced tab you should see the site IP and SSL port number in multiple

SSL identities area.. otherwise add the entry.. now the simple thing

that should be done on your site is the page you want to use SSL in it

you should link to it using the full url preceeded by the https.. like

https://mysite.com/secure.asp the client will get a notice that he's

entering a secure site, this is a client side feature.. if you don't purchase a key from a security company then the client will also get a notice that the site security info is unavailabe (that means the client might be logging to a spoofed site similar to yours) when you want to exit SSL you simply forward the client to an http: URL..

so you better get also a key from a security company like verisign.com

that will guarantee to the client that his IS connected to your site..

they have also there some info you might find useful to read..
0
 
LVL 1

Expert Comment

by:Moondancer
ID: 6975154
ADMINISTRATION WILL BE CONTACTING YOU SHORTLY.  Moderators Computer101 or Netminder will return to finalize these if they are still open in 14 days.  Experts, please post closing recommendations before that time.

Below are your open questions as of today.  Questions which have been inactive for 21 days or longer are considered to be abandoned and for those, your options are:
1. Accept a Comment As Answer (use the button next to the Expert's name).
2. Close the question if the information was not useful to you, but may help others. You must tell the participants why you wish to do this, and allow for Expert response.  This choice will include a refund to you, and will move this question to our PAQ (Previously Asked Question) database.  If you found information outside this question thread, please add it.
3. Ask Community Support to help split points between participating experts, or just comment here with details and we'll respond with the process.
4. Delete the question (if it has no potential value for others).
   --> Post comments for expert of your intention to delete and why
   --> YOU CANNOT DELETE A QUESTION with comments; special handling by a Moderator is required.

For special handling needs, please post a zero point question in the link below and include the URL (question QID/link) that it regards with details.
http://www.experts-exchange.com/jsp/qList.jsp?ta=commspt
 
Please click this link for Help Desk, Guidelines/Member Agreement and the Question/Answer process.  http://www.experts-exchange.com/jsp/cmtyHelpDesk.jsp

Click you Member Profile to view your question history and please keep them updated. If you are a KnowledgePro user, use the Power Search option to find them.  

Questions which are LOCKED with a Proposed Answer but do not help you, should be rejected with comments added.  When you grade the question less than an A, please comment as to why.  This helps all involved, as well as others who may access this item in the future.  PLEASE DO NOT AWARD POINTS TO ME.

To view your open questions, please click the following link(s) and keep them all current with updates.
http://www.experts-exchange.com/questions/Q.20093645.html
http://www.experts-exchange.com/questions/Q.20100190.html
http://www.experts-exchange.com/questions/Q.20100827.html
http://www.experts-exchange.com/questions/Q.20109514.html
http://www.experts-exchange.com/questions/Q.20134324.html
http://www.experts-exchange.com/questions/Q.20167478.html



*****  E X P E R T S    P L E A S E  ******  Leave your closing recommendations.
If you are interested in the cleanup effort, please click this link
http://www.experts-exchange.com/jsp/qManageQuestion.jsp?ta=commspt&qid=20274643 
POINTS FOR EXPERTS awaiting comments are listed in the link below
http://www.experts-exchange.com/commspt/Q.20277028.html
 
Moderators will finalize this question if in @14 days Asker has not responded.  This will be moved to the PAQ (Previously Asked Questions) at zero points, deleted or awarded.
 
Thanks everyone.
Moondancer
Moderator @ Experts Exchange
0

Featured Post

Salesforce Has Never Been Easier

Improve and reinforce salesforce training & adoption using WalkMe's digital adoption platform. Start saving on costly employee training by creating fast intuitive Walk-Thrus for Salesforce. Claim your Free Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Have you ever needed to get an ASP script to wait for a while? I have, just to let something else happen. Or in my case, to allow other stuff to happen while I was murdering my MySQL database with an update. The Original Issue This was written…
Learn about the eCommerce marketing trends for the year ahead.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question