How to secure login and member area with SSL certificate?

Question

Background: I have a asp.net webapplication project that should contain a public and a member area. Now I want to implement a SSL decription to secure communication between the client and the server. (In the university we have an unsecured wireless network and you can use a wlan sniffer to read username/password. I do not want to have this security problem for my application, so I thought of a ssl decription)

The application is running on a IIS 7.5. Is it possible to have one webapp that has unsecured pages (like the public area) and a secured area (like the member area, which requires a login)? If yes, how can I relealise the communication between these too areas?

Example: My webapp is hosted on http://foo.abc. I have pages like http://foo.abc/default.aspx and http://foo.abc/foo.aspx.

In the same project there is a page like /member/default.aspx which is protected by a login on the page http://foo.abc/login.aspx.

So I would need to implement SSL for the page /login.aspx and all pages in /member/

How can I do that? I just found out how to create SSL certificates in IIS 7.5 and how to add such a binding to a webapp. How how can I tell my webapp which page should be called with https and not with http. What is the best practise there?

Answer 1

From here How to use HTTPS in an ASP.Net Application

After you get SSL setup/installed, you want to do some sort of redirect on the login page to https://. Then whatever page the user is sent to after validation, it can just be http://.

Protected Sub Page_PreRender(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.PreRender

    If Request.IsSecureConnection = False And _ 
        Not Request.Url.Host.Contains("localhost") Then 

        Response.Redirect(Request.Url.AbsoluteUri.Replace("http://", "https://")) 
    End If  End Sub

This may be easier to implement on a master page or just all the pages you require https. By checking for "localhost" you will avoid getting an error in your testing environment (Unless your test server has another name than check for that: "mytestservername").