Solved

Using Login In  on Default page Http/Https

Posted on 2010-08-26
4
373 Views
Last Modified: 2012-06-27
My website Introduces users to site via a default pages (http://domainName/Default.aspx) contained on page is user Login Control.  Upon user authentication user is transfer to a role driven admin page or a member page (https://domainName/siteName/RoleDrivenPage.aspx).  My problem is everyone needs access to see Default page because there are links to non-secure areas.  I cannot set 'requireSSL= true' because default page resides on 'http', and when I set 'requireSSL=false' user logs in and then require to login again using https://domainName/siteName/Default.aspx.  

Is there a way to use this Default/Login functionality?
Web.config:



 <!--

            The <authentication> section enables configuration 

            of the security authentication mode used by 

            ASP.NET to identify an incoming user. 

        -->

    <authentication mode="Forms">

      <forms protection="All" name=".ASPXFORMSAUTH" loginUrl="Default.aspx" slidingExpiration="false"  timeout="10" requireSSL="true"

        cookieless="UseCookies" />

    </authentication>

    <!-- This section denies access to all files in this application except for those that you have not explicitly specified by using another setting. -->

    <authorization>

      <deny users="?" />

    </authorization>

    <httpCookies requireSSL="true" />

    <!--Memeber ship Class -->

    <membership defaultProvider="SqlProvider" userIsOnlineTimeWindow="15">

      <providers>

        <remove name="AspNetSqlProvider" />

        <add name="SqlProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="rmeaspnetdbConnectionString" applicationName="/" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="false" passwordFormat="Hashed"/>

      </providers>

    </membership>

    <!--Role Management goes here-->

    <roleManager defaultProvider="SqlProvider" enabled="true" cacheRolesInCookie="true" cookieProtection="All">

      <providers>

        <add name="SqlProvider" type="System.Web.Security.SqlRoleProvider" connectionStringName="rmeaspnetdbConnectionString"

             applicationName="/" />

      </providers>

    </roleManager>

  </system.web> <!-- Closing System.web inorder to apply location tags -->



  <!-- This section gives the unauthenticated user access to the Default1.aspx page only. It is located in the same folder as this configuration file. -->

  <location path="Default.aspx">

    <system.web>

      <authorization>

        <allow users ="*" />

      </authorization>

    </system.web>

  </location>

  <!-- This section gives the authenticated user access to all of the files that are stored in the Member Content Pages folder.  -->

  <location path="MemberContentPages">

    <system.web>

      <authorization>

        <deny users ="?" />

        <allow users = "*" />

      </authorization>

    </system.web>

  </location>

  <!-- This section gives the authenticated user with Role Administrator, Site Admin and Assistant access to all of the files that are stored in the Entity Content Pages folder.  -->

  <location path="EntityContentPages">

    <system.web>

      <authorization>

        <deny users ="?" />

        <deny roles = "Member" />

        <deny roles = "Client" />

      </authorization>

    </system.web>

  </location>

Open in new window

0
Comment
Question by:Robert Treadwell
  • 2
4 Comments
 
LVL 28

Expert Comment

by:strickdd
ID: 33541213
As long as you aren't pulling content from sources via "http" you can have offsite links to "http" from an "https" page. Things to watch are mainly images and CSS files. If you can, switch these to be relative links (e.g., "/MySite/Style.css" instead of "http://mysite.com/MySite/Style.css").

The other option would be to create a separate login page.
0
 
LVL 50

Assisted Solution

by:Steve Bink
Steve Bink earned 500 total points
ID: 33548088
Why not make the default page for http forward to https instead?  
0
 

Author Comment

by:Robert Treadwell
ID: 33549802
I thought of that and will do it at last resort.  However I was reading documentation on Login over HTTPS from HTTP, are you aware 'routinet'  how to do this and do you happen to know where I may be able to find an example of this functionality.
0
 
LVL 50

Accepted Solution

by:
Steve Bink earned 500 total points
ID: 33550121
>>> I thought of that and will do it at last resort.

I don't see why it should be a last resort.  I have never seen the use in having a non-SSL portion of your site if you already have the SSL certificate to secure it.

>>> Login over HTTPS from HTTP

The HTTP or HTTPS describes the structure and flow between a client and a server.  If I request a page from your server using HTTP, the response is sent in plain text.  If that page has a link or a form to an HTTPS page, and I click it or submit the form, my client will initiate an SSL conversation with your server, and my subsequent request and your response will be sent as encrypted content.  For a link, that takes the form of:

<a href="https://yourserver.com/page.php">

For a form:

<form name="myform" action="https://yourserver.com/formhandler.php" method="post">

The main thing you need to be aware of when switching to SSL is that other resources need to come from an SSL source also.  Otherwise, the user receives a mixed-content warning.  You can easily account for this behavior by using relative links in your resources.  For example, instead of:

<img src="http://yourserver.com/images/image.jpg" />

Use this:

<img src="/images/image.jpg" />

The requests generated by the second example will automagically add the protocol and server name, since it is implied to be the same server and protocol as the original request.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Group by correlation 4 54
Microsoft Edge 9 91
Time/Date Query 11 37
How can I do a Massively massive community reviewing-and-grading site? 7 69
This demonstration started out as a follow up to some recently posted questions on the subject of logging in: http://www.experts-exchange.com/Programming/Languages/Scripting/JavaScript/Q_28634665.html and http://www.experts-exchange.com/Programming/…
What is Node.js? Node.js is a server side scripting language much like PHP or ASP but is used to implement the complete package of HTTP webserver and application framework. The difference is that Node.js’s execution engine is asynchronous and event…
This video teaches viewers how to create their own website using cPanel and Wordpress. Tutorial walks users through how to set up their own domain name from tools like Domain Registrar, Hosting Account, and Wordpress. More specifically, the order in…
Use Wufoo, an online form creation tool, to make powerful forms. Learn how to selectively show certain fields based on user input using rules to gather relevant information and data from your forms. The rules feature provides you with an opportunity…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now