Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Preparing my ASP.NET / MVC site to use SSL?

I'm getting ready to have an SSL cert installed on my hosting.

It is my understanding that (and correct me if I'm wrong...):

  1. Once the hosting guys install the cert, I will be able to browse my site on Http or Https (nothing will stop me from continuing to use Http)?

  2. The only thing I need to do, is add logic (in the case of MVC, Controller attributes/filters) to force certain pages, of my choosing, to redirect to Https (for instance, adding a [RequiresHttps] attribute sparingly).

Do I have to worry about doing anything extra with these things to make sure I'm using SSL properly? I'm not sure if I need to change something with logic having to do with:

  1. Cookies

  2. PayPal Express integration

Also, I plan on adding [RequiresHttps] only on the shopping cart, checkout, login, account, and administration pages. I wish to leave my product browsing/shopping pages on Http since I heard there is more overhead for using Https. Is this normal/acceptable/ok?

One more question... I know ASP.NET stores some login information in the form of an Auth cookie. It is okay that a user logs in within an Https page, but then can go back and browse in an Http page? I'm wondering if that creates a security weakness since the user is logged in and browsing in Http again. Does that ruin the point of using SSL?

I'm kind of a newb at this... so help would be appreciated.

like image 836
Ralph N Avatar asked Mar 06 '12 10:03

Ralph N


2 Answers

Starting with your questions, on one, (1) yes nothing will stop you to use for the same pages http ether https.

and (2) Yes you need to add your logic on what page will be show only as https and what as http. If some one wondering, why not show all as https the reason is the speed, when you send them as https the page are bigger and the encode/decode is take a little bit more, so if you do not need https, just switch it to http.

Switching Between HTTP and HTTPS Automatically is a very good code to use for the implementation of switching logic fast and easy.

Cookies

When the cookie have to do with the credential of the user then you need to force it to be transmitted only with secure page. What this mean, mean that if you set a cookie with https, this cookie is NOT transmitted on non secure page, so is stay secure and a man in the middle can not steal it. The tip here is that this cookie can not be read on http pages - so you can know that the user is A, or B only on secure page.

Cart - Products

Yes this is normal : to leave the products and the cart on unsecured connection because the information is not so special. You start the https page when you be on user real data, like name, email, address etc.

Auth cookie

If you set it as secure only, then this cookies not show/read/exist on unsecured page. It is an issue if you not make it secure only.

Response.Cookies[s].Secure = true;

Few more words

What we do with secure and non secure page is that we actually split the user data in two parts. One that is secure and one that is not. So we use actually two cookies, one secure and one not secure.

The not secure cookie is for example the one that connect all the products on the cart, or maybe the history of the user (what products see) This is also that we do not actually care if some one get it because even a proxy can see from the url the user history, or what user see.

The secure cookie is the authentication, that keep some critical information for the user. So the non secure cookie is with the user everywhere on the pages, the secure is only on check out, on logged in, etc.

Related

MSDN, How To: Protect Forms Authentication in ASP.NET 2.0
Setting up SSL page only on login page
Can some hacker steal the cookie from a user and login with that name on a web site?

like image 107
Aristos Avatar answered Nov 07 '22 18:11

Aristos


1) Yes, you are right.

2) Yes. You can optionally handle HTTP 403.4 code (SSL required) more gracefully, by automatically redirecting the client to the HTTPS version of the page.

As for authentication cookies, I've found this MSDN article for you. Basically, you can set up your website (and the client's browser) to only transmit authentication cookie via HTTPS. This way it won't be subject to network snooping over unencrypted channel.

Of course, this is only possible if all of your [Authorize] actions are HTTPS-only.

like image 3
Zruty Avatar answered Nov 07 '22 19:11

Zruty