Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 515
  • Last Modified:

Using SSL on a webserver

I want to use SSL in my application 's sensitive pages (e.g login page)
That mean SSL will be used when user is login, once login is completed, it will be redirect to another page which do not need SSL.
However, I found that during such Response.Redirect from a https to http, a security alert always popup and tell "You are about to be redirected to a connection that is not secure...."
How can I avoid this? as I feel it is very annoying to user. I don't want to use https for the whole application as it will slow down the performance.

The directory structure is defined as below:
https//www.mysite.com/weblogon/logon.asp (login page with ssl)
http://www.mysite.com/application/default.asp (my application)

Thx.
0
LCP
Asked:
LCP
  • 6
  • 6
  • 4
  • +2
1 Solution
 
ZhongYuCommented:
The feature is because of the browser configuration.

Goto menu:   Tool/Internet Options/Advanced/
uncheck "Warn if changing between secure and not secure mode"

0
 
LCPAuthor Commented:
I have try to uncheck this setting already but it is still doesn't work.
0
 
ZhongYuCommented:
Then redirect is the problem. You may not be able to avoid it. Could you consider redirect to a secure page and after that using unsecure pages? The performance costs of using secure page is not high, redirect is much higher. If you use IIS 5, consider using transfer.  
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Michel SakrCommented:
This is a client side feture, you can't controle it from your side.. the user must lower his security warnings also from the security tab.. or preferences in Netscape..
0
 
LCPAuthor Commented:
I have tried to lower the security setting in IE, but it still popup.
If I put a http link <A> on the HTTPS page, there is no problem of redirection.
If I use Refresh Header in the page, it is also no problem.

The problem just appear in Response.Redirect. If this cannot be solve, I can only make all of page redirection of https to http using the Refresh Header only.

I am using IE5.5 with SP1
0
 
ZhongYuCommented:
If you understand how redirect work, you can easily guess why it can cause problem.

When your asp run response.redirect, it clears the buffer (thats why you cannot redirect after sending anything to the client) and send a http header stating that the page has been moved and it should get the new page at the new address you want to redirect to. Then the browser try again to get the new page.

So every redirect cause en extra call. Besides, some proxy server will try to interprete the header and react according to it and result is that the application based on redirect will not work.

0
 
Michel SakrCommented:
use server.transfer instead if you are using IIS5
0
 
Antonio_99Commented:
Another Question as I am going to be Diving into makeing a page that takes credit cards soon. For SSL do you have to have a verisign.com approve your auth for SSL to work? or is that only for a good mind for your customers?
0
 
ZhongYuCommented:

Your customer must trust the issuer of your server certificate. Verisign CA certificates are always installed on the client computer, so there will be no problem and security warning. If you issue your own server certificate, the first thing the client to do is to install your CA certificate. Not everyone will do that, those try not always succeed.
0
 
Michel SakrCommented:
if you won't get a key, the users will see a prompt that your site can't be trusted..
0
 
LCPAuthor Commented:
we can't use server.transfer to run a full path.
e.g. Server.Transfer "http://www.mysite.com/application/default.asp

Server.Transer only support relative path and also no querystring can be supplied. Also, the URL display in location bar will be the original page that call Server.Transfer, not the page redirected because it doesn't tell the browser that page have transfered and therefore it will cause the page flow control problem.

If you want to run from a secure page (https) page to a non-secure page (http), u need to specify the protocol to be used (http://), and that's why Server.transfer cannot be used in this case. Unless, all pages are running under https, but it is not the solution that I want. It is because I just want the login page use HTTPS. When user submit the userid and password, after verification, I will redirect to my application main page with HTTP only. Just that simple.
0
 
LCPAuthor Commented:

For SSL, u need to apply a server certificate from one of the CA like verisign. If u are using the CA which is very common, I think you don't need to worry about it as most browser will trust that CA by default. However, if my question can't be solve, then I think u need to use SSL for your whole application. Otherwise, the User will will ignoring to ans Yes everytime when u redirect the page..

Corrent me if I am wrong.

Thx.
0
 
Michel SakrCommented:
Yes.. Lots of users disable the prompts BTW by clicking do not show this warning..
0
 
LCPAuthor Commented:
yes. but the prompt that can disable is :
"You are about to leave a secure Internet connection. It will be possible for others to view information you send.
Do you want to continue?" also there is a checkbox and ask whether you want to show this warning in the future.

I have disable this warning in the tools -> internet options.

but still show the prompt "You are about to be redirected to a connection that is not secure...."

It is two different prompt but the meaning is similar.
Btw, anyway have experience surf a site that got secure and non-secure connection at the same time?
0
 
Michel SakrCommented:
Again..it's a client side issue.. set for security reason, suppose you are entering your credit card info on a site and some hacker hacked the site and redirected submission links to his site! so you see..
0
 
LCPAuthor Commented:
ok... but how do people do usually when they got some pages use SSL only? I often hear people said they just set some pages of their site use SSL (e.g login, credit card input), and others use http only. It seems that seldom people raise up such question and that's why I suspected that I got some wrong step.
They don't use redirect?
0
 
Michel SakrCommented:
yes.. I'll post you some info:

SSL - Secure Socket Layer is a connection that is made on port 443 ,

the connection is Cyphered (encrypted) based on the browser encryption

capabilities (up to 128 bit) usually the HTTP connection is made on

port 80 and the data is transmitted as plain text thus rendering

sensible info vulnerable.. you should setup SSL in IIS settings for the

site, you set the SSL port to 443 in the Web Site tab, clicking on the

advanced tab you should see the site IP and SSL port number in multiple

SSL identities area.. otherwise add the entry.. now the simple thing

that should be done on your site is the page you want to use SSL in it

you should link to it using the full url preceeded by the https.. like

https://mysite.com/secure.asp the client will get a notice that he's

entering a secure site, this is a client side feature.. if you don't purchase a key from a security company then the client will also get a notice that the site security info is unavailabe (that means the client might be logging to a spoofed site similar to yours) when you want to exit SSL you simply forward the client to an http: URL..

so you better get also a key from a security company like verisign.com

that will guarantee to the client that his IS connected to your site..

they have also there some info you might find useful to read..
0
 
MoondancerCommented:
ADMINISTRATION WILL BE CONTACTING YOU SHORTLY.  Moderators Computer101 or Netminder will return to finalize these if they are still open in 14 days.  Experts, please post closing recommendations before that time.

Below are your open questions as of today.  Questions which have been inactive for 21 days or longer are considered to be abandoned and for those, your options are:
1. Accept a Comment As Answer (use the button next to the Expert's name).
2. Close the question if the information was not useful to you, but may help others. You must tell the participants why you wish to do this, and allow for Expert response.  This choice will include a refund to you, and will move this question to our PAQ (Previously Asked Question) database.  If you found information outside this question thread, please add it.
3. Ask Community Support to help split points between participating experts, or just comment here with details and we'll respond with the process.
4. Delete the question (if it has no potential value for others).
   --> Post comments for expert of your intention to delete and why
   --> YOU CANNOT DELETE A QUESTION with comments; special handling by a Moderator is required.

For special handling needs, please post a zero point question in the link below and include the URL (question QID/link) that it regards with details.
http://www.experts-exchange.com/jsp/qList.jsp?ta=commspt
 
Please click this link for Help Desk, Guidelines/Member Agreement and the Question/Answer process.  http://www.experts-exchange.com/jsp/cmtyHelpDesk.jsp

Click you Member Profile to view your question history and please keep them updated. If you are a KnowledgePro user, use the Power Search option to find them.  

Questions which are LOCKED with a Proposed Answer but do not help you, should be rejected with comments added.  When you grade the question less than an A, please comment as to why.  This helps all involved, as well as others who may access this item in the future.  PLEASE DO NOT AWARD POINTS TO ME.

To view your open questions, please click the following link(s) and keep them all current with updates.
http://www.experts-exchange.com/questions/Q.20093645.html
http://www.experts-exchange.com/questions/Q.20100190.html
http://www.experts-exchange.com/questions/Q.20100827.html
http://www.experts-exchange.com/questions/Q.20109514.html
http://www.experts-exchange.com/questions/Q.20134324.html
http://www.experts-exchange.com/questions/Q.20167478.html



*****  E X P E R T S    P L E A S E  ******  Leave your closing recommendations.
If you are interested in the cleanup effort, please click this link
http://www.experts-exchange.com/jsp/qManageQuestion.jsp?ta=commspt&qid=20274643 
POINTS FOR EXPERTS awaiting comments are listed in the link below
http://www.experts-exchange.com/commspt/Q.20277028.html
 
Moderators will finalize this question if in @14 days Asker has not responded.  This will be moved to the PAQ (Previously Asked Questions) at zero points, deleted or awarded.
 
Thanks everyone.
Moondancer
Moderator @ Experts Exchange
0

Featured Post

Ask an Anonymous Question!

Don't feel intimidated by what you don't know. Ask your question anonymously. It's easy! Learn more and upgrade.

  • 6
  • 6
  • 4
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now