Solved

Using SSL on a webserver

Posted on 2001-06-12
18
496 Views
Last Modified: 2013-11-29
I want to use SSL in my application 's sensitive pages (e.g login page)
That mean SSL will be used when user is login, once login is completed, it will be redirect to another page which do not need SSL.
However, I found that during such Response.Redirect from a https to http, a security alert always popup and tell "You are about to be redirected to a connection that is not secure...."
How can I avoid this? as I feel it is very annoying to user. I don't want to use https for the whole application as it will slow down the performance.

The directory structure is defined as below:
https//www.mysite.com/weblogon/logon.asp (login page with ssl)
http://www.mysite.com/application/default.asp (my application)

Thx.
0
Comment
Question by:LCP
  • 6
  • 6
  • 4
  • +2
18 Comments
 
LVL 2

Accepted Solution

by:
ZhongYu earned 100 total points
ID: 6184568
The feature is because of the browser configuration.

Goto menu:   Tool/Internet Options/Advanced/
uncheck "Warn if changing between secure and not secure mode"

0
 
LVL 1

Author Comment

by:LCP
ID: 6184643
I have try to uncheck this setting already but it is still doesn't work.
0
 
LVL 2

Expert Comment

by:ZhongYu
ID: 6184668
Then redirect is the problem. You may not be able to avoid it. Could you consider redirect to a secure page and after that using unsecure pages? The performance costs of using secure page is not high, redirect is much higher. If you use IIS 5, consider using transfer.  
0
 
LVL 20

Expert Comment

by:Silvers5
ID: 6184677
This is a client side feture, you can't controle it from your side.. the user must lower his security warnings also from the security tab.. or preferences in Netscape..
0
 
LVL 1

Author Comment

by:LCP
ID: 6185687
I have tried to lower the security setting in IE, but it still popup.
If I put a http link <A> on the HTTPS page, there is no problem of redirection.
If I use Refresh Header in the page, it is also no problem.

The problem just appear in Response.Redirect. If this cannot be solve, I can only make all of page redirection of https to http using the Refresh Header only.

I am using IE5.5 with SP1
0
 
LVL 2

Expert Comment

by:ZhongYu
ID: 6185722
If you understand how redirect work, you can easily guess why it can cause problem.

When your asp run response.redirect, it clears the buffer (thats why you cannot redirect after sending anything to the client) and send a http header stating that the page has been moved and it should get the new page at the new address you want to redirect to. Then the browser try again to get the new page.

So every redirect cause en extra call. Besides, some proxy server will try to interprete the header and react according to it and result is that the application based on redirect will not work.

0
 
LVL 20

Expert Comment

by:Silvers5
ID: 6185763
use server.transfer instead if you are using IIS5
0
 

Expert Comment

by:Antonio_99
ID: 6185884
Another Question as I am going to be Diving into makeing a page that takes credit cards soon. For SSL do you have to have a verisign.com approve your auth for SSL to work? or is that only for a good mind for your customers?
0
 
LVL 2

Expert Comment

by:ZhongYu
ID: 6185910

Your customer must trust the issuer of your server certificate. Verisign CA certificates are always installed on the client computer, so there will be no problem and security warning. If you issue your own server certificate, the first thing the client to do is to install your CA certificate. Not everyone will do that, those try not always succeed.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 20

Expert Comment

by:Silvers5
ID: 6186005
if you won't get a key, the users will see a prompt that your site can't be trusted..
0
 
LVL 1

Author Comment

by:LCP
ID: 6187116
we can't use server.transfer to run a full path.
e.g. Server.Transfer "http://www.mysite.com/application/default.asp

Server.Transer only support relative path and also no querystring can be supplied. Also, the URL display in location bar will be the original page that call Server.Transfer, not the page redirected because it doesn't tell the browser that page have transfered and therefore it will cause the page flow control problem.

If you want to run from a secure page (https) page to a non-secure page (http), u need to specify the protocol to be used (http://), and that's why Server.transfer cannot be used in this case. Unless, all pages are running under https, but it is not the solution that I want. It is because I just want the login page use HTTPS. When user submit the userid and password, after verification, I will redirect to my application main page with HTTP only. Just that simple.
0
 
LVL 1

Author Comment

by:LCP
ID: 6187118

For SSL, u need to apply a server certificate from one of the CA like verisign. If u are using the CA which is very common, I think you don't need to worry about it as most browser will trust that CA by default. However, if my question can't be solve, then I think u need to use SSL for your whole application. Otherwise, the User will will ignoring to ans Yes everytime when u redirect the page..

Corrent me if I am wrong.

Thx.
0
 
LVL 20

Expert Comment

by:Silvers5
ID: 6189801
Yes.. Lots of users disable the prompts BTW by clicking do not show this warning..
0
 
LVL 1

Author Comment

by:LCP
ID: 6193593
yes. but the prompt that can disable is :
"You are about to leave a secure Internet connection. It will be possible for others to view information you send.
Do you want to continue?" also there is a checkbox and ask whether you want to show this warning in the future.

I have disable this warning in the tools -> internet options.

but still show the prompt "You are about to be redirected to a connection that is not secure...."

It is two different prompt but the meaning is similar.
Btw, anyway have experience surf a site that got secure and non-secure connection at the same time?
0
 
LVL 20

Expert Comment

by:Silvers5
ID: 6194117
Again..it's a client side issue.. set for security reason, suppose you are entering your credit card info on a site and some hacker hacked the site and redirected submission links to his site! so you see..
0
 
LVL 1

Author Comment

by:LCP
ID: 6203124
ok... but how do people do usually when they got some pages use SSL only? I often hear people said they just set some pages of their site use SSL (e.g login, credit card input), and others use http only. It seems that seldom people raise up such question and that's why I suspected that I got some wrong step.
They don't use redirect?
0
 
LVL 20

Expert Comment

by:Silvers5
ID: 6205341
yes.. I'll post you some info:

SSL - Secure Socket Layer is a connection that is made on port 443 ,

the connection is Cyphered (encrypted) based on the browser encryption

capabilities (up to 128 bit) usually the HTTP connection is made on

port 80 and the data is transmitted as plain text thus rendering

sensible info vulnerable.. you should setup SSL in IIS settings for the

site, you set the SSL port to 443 in the Web Site tab, clicking on the

advanced tab you should see the site IP and SSL port number in multiple

SSL identities area.. otherwise add the entry.. now the simple thing

that should be done on your site is the page you want to use SSL in it

you should link to it using the full url preceeded by the https.. like

https://mysite.com/secure.asp the client will get a notice that he's

entering a secure site, this is a client side feature.. if you don't purchase a key from a security company then the client will also get a notice that the site security info is unavailabe (that means the client might be logging to a spoofed site similar to yours) when you want to exit SSL you simply forward the client to an http: URL..

so you better get also a key from a security company like verisign.com

that will guarantee to the client that his IS connected to your site..

they have also there some info you might find useful to read..
0
 
LVL 1

Expert Comment

by:Moondancer
ID: 6975154
ADMINISTRATION WILL BE CONTACTING YOU SHORTLY.  Moderators Computer101 or Netminder will return to finalize these if they are still open in 14 days.  Experts, please post closing recommendations before that time.

Below are your open questions as of today.  Questions which have been inactive for 21 days or longer are considered to be abandoned and for those, your options are:
1. Accept a Comment As Answer (use the button next to the Expert's name).
2. Close the question if the information was not useful to you, but may help others. You must tell the participants why you wish to do this, and allow for Expert response.  This choice will include a refund to you, and will move this question to our PAQ (Previously Asked Question) database.  If you found information outside this question thread, please add it.
3. Ask Community Support to help split points between participating experts, or just comment here with details and we'll respond with the process.
4. Delete the question (if it has no potential value for others).
   --> Post comments for expert of your intention to delete and why
   --> YOU CANNOT DELETE A QUESTION with comments; special handling by a Moderator is required.

For special handling needs, please post a zero point question in the link below and include the URL (question QID/link) that it regards with details.
http://www.experts-exchange.com/jsp/qList.jsp?ta=commspt
 
Please click this link for Help Desk, Guidelines/Member Agreement and the Question/Answer process.  http://www.experts-exchange.com/jsp/cmtyHelpDesk.jsp

Click you Member Profile to view your question history and please keep them updated. If you are a KnowledgePro user, use the Power Search option to find them.  

Questions which are LOCKED with a Proposed Answer but do not help you, should be rejected with comments added.  When you grade the question less than an A, please comment as to why.  This helps all involved, as well as others who may access this item in the future.  PLEASE DO NOT AWARD POINTS TO ME.

To view your open questions, please click the following link(s) and keep them all current with updates.
http://www.experts-exchange.com/questions/Q.20093645.html
http://www.experts-exchange.com/questions/Q.20100190.html
http://www.experts-exchange.com/questions/Q.20100827.html
http://www.experts-exchange.com/questions/Q.20109514.html
http://www.experts-exchange.com/questions/Q.20134324.html
http://www.experts-exchange.com/questions/Q.20167478.html



*****  E X P E R T S    P L E A S E  ******  Leave your closing recommendations.
If you are interested in the cleanup effort, please click this link
http://www.experts-exchange.com/jsp/qManageQuestion.jsp?ta=commspt&qid=20274643
POINTS FOR EXPERTS awaiting comments are listed in the link below
http://www.experts-exchange.com/commspt/Q.20277028.html
 
Moderators will finalize this question if in @14 days Asker has not responded.  This will be moved to the PAQ (Previously Asked Questions) at zero points, deleted or awarded.
 
Thanks everyone.
Moondancer
Moderator @ Experts Exchange
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Mobile electronic signature 7 176
How to solve this equation 3 48
Affiliate marketing 3 73
Uber Driver: What app to use?? 8 87
The aim of this article is to help you solve the error "Cannot insert the value NULL into column 'ShortDescription', table 'albert_store.dbo.Nop_Product'; column does not allow nulls. UPDATE fails." problem and allow you to continue updating your No…
E-commerce is quite a gambling world, and you should never entrust your business to a lucky chance. In order to outrun your competitors in a race to attract as many customers as possible, you need to have a well thought-out strategy under your belt.…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now