How to use HTTPS in an ASP.Net Application

Question

I want to use HTTPS in my ASP.NET web application, but only for the Login.aspx page.

How can this be accomplished?

Answer 1

1. First get or create a certificate

2. Get the SecureWebPageModule module from http://www.codeproject.com/Articles/7206/Switching-Between-HTTP-and-HTTPS-Automatically-Ver. Instructions for setup can be found in the article.

3. Add secureWebPages tag to web.config

   <configuration>     ...     <secureWebPages enabled="true">         ...     </secureWebPages>     ...     <system.web>         ...     </system.web> </configuration> 

4. Add files and directories to be use for https protocol:

   <secureWebPages enabled="true">     <file path="Login.aspx" />     <file path="Admin/Calendar.aspx" ignore="True" />     <file path="Members/Users.aspx" />     <directory path="Admin" />     <directory path="Members/Secure" /> </secureWebPages>  

Hope this helps!

Answer 2

You can publish your own certificate or you can purchase one. The caveat is that purchasing one, depending on the company, means that it's already stored in the certificate store for most browsers. Your self published one will not be and your users will have to take the extra step of installing your cert.

You don't say what version of IIS you're using, but here are some detailed instructions for IIS 6

You can purchase relatively cheap certs or you can go with the big boys (verisign) and get an extended validation certificate which turns your address bar in IE, green. It's also a somewhat rigorous validation process and takes time.

If you know all of the users that will be hitting your website, there's no problem with installing your own. However, for an open website with anonymous users (that you don't know), it's probably best to purchase one that is already in most major browsers, certificate stores.

You can enable SSL via IIS and require it for only your login.aspx page and not for the rest.