Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Preparing my ASP.NET / MVC site to use SSL?

Tags:

ssl

asp.net-mvc

I'm getting ready to have an SSL cert installed on my hosting.

It is my understanding that (and correct me if I'm wrong...):

  1. Once the hosting guys install the cert, I will be able to browse my site on Http or Https (nothing will stop me from continuing to use Http)?

  2. The only thing I need to do, is add logic (in the case of MVC, Controller attributes/filters) to force certain pages, of my choosing, to redirect to Https (for instance, adding a [RequiresHttps] attribute sparingly).

Do I have to worry about doing anything extra with these things to make sure I'm using SSL properly? I'm not sure if I need to change something with logic having to do with:

  1. Cookies

  2. PayPal Express integration

Also, I plan on adding [RequiresHttps] only on the shopping cart, checkout, login, account, and administration pages. I wish to leave my product browsing/shopping pages on Http since I heard there is more overhead for using Https. Is this normal/acceptable/ok?

One more question... I know ASP.NET stores some login information in the form of an Auth cookie. It is okay that a user logs in within an Https page, but then can go back and browse in an Http page? I'm wondering if that creates a security weakness since the user is logged in and browsing in Http again. Does that ruin the point of using SSL?

I'm kind of a newb at this... so help would be appreciated.

like image 836
Ralph N Avatar asked Mar 06 '12 10:03

Ralph N

2 Answers

Starting with your questions, on one, (1) yes nothing will stop you to use for the same pages http ether https.

and (2) Yes you need to add your logic on what page will be show only as https and what as http. If some one wondering, why not show all as https the reason is the speed, when you send them as https the page are bigger and the encode/decode is take a little bit more, so if you do not need https, just switch it to http.

Switching Between HTTP and HTTPS Automatically is a very good code to use for the implementation of switching logic fast and easy.

Cookies

When the cookie have to do with the credential of the user then you need to force it to be transmitted only with secure page. What this mean, mean that if you set a cookie with https, this cookie is NOT transmitted on non secure page, so is stay secure and a man in the middle can not steal it. The tip here is that this cookie can not be read on http pages - so you can know that the user is A, or B only on secure page.

Cart - Products

Yes this is normal : to leave the products and the cart on unsecured connection because the information is not so special. You start the https page when you be on user real data, like name, email, address etc.

Auth cookie

If you set it as secure only, then this cookies not show/read/exist on unsecured page. It is an issue if you not make it secure only.

Response.Cookies[s].Secure = true;

Few more words

What we do with secure and non secure page is that we actually split the user data in two parts. One that is secure and one that is not. So we use actually two cookies, one secure and one not secure.

The not secure cookie is for example the one that connect all the products on the cart, or maybe the history of the user (what products see) This is also that we do not actually care if some one get it because even a proxy can see from the url the user history, or what user see.

The secure cookie is the authentication, that keep some critical information for the user. So the non secure cookie is with the user everywhere on the pages, the secure is only on check out, on logged in, etc.

Related

MSDN, How To: Protect Forms Authentication in ASP.NET 2.0
Setting up SSL page only on login page
Can some hacker steal the cookie from a user and login with that name on a web site?

like image 107
Aristos Avatar answered Nov 07 '22 18:11

Aristos

1) Yes, you are right.

2) Yes. You can optionally handle HTTP 403.4 code (SSL required) more gracefully, by automatically redirecting the client to the HTTPS version of the page.

As for authentication cookies, I've found this MSDN article for you. Basically, you can set up your website (and the client's browser) to only transmit authentication cookie via HTTPS. This way it won't be subject to network snooping over unencrypted channel.

Of course, this is only possible if all of your [Authorize] actions are HTTPS-only.

like image 3
Zruty Avatar answered Nov 07 '22 19:11

Zruty
Sign in to Comment

Related questions

How to create ASP.NET MVC area as a plugin DLL?
MVC5 Microsoft.CSharp.RuntimeBinder.RuntimeBinderException
Create instance of a class with dependencies using Autofac
.NET 4.5 MVC RouteCollection.LowercaseUrls breaks when using Area
ViewBag.Title value overrides Model.Title for ASP.NET MVC Editor Template
How to get OwinContext from Global.asax?
Map view models to KnockoutJS Validation
TypeScript within .cshtml Razor Files
TypeScript - [Subsequent property declarations must have the same type] - Multiple references to the same type definitions
MVC / ASP.NET design templates [closed]
How do I edit an IEnumerable<T> with ASP.NET MVC 3?
God Controllers - How to prevent them?
Is MVVM possible/viable in a DHTML RIA application (no Silverlight/WPF)?
asp.net mvc routing: how to use default action but non-default parameter?
HttpClient & Windows Auth: Pass logged in User of Consumer to Service
.Net MVC Partial View load login page when session expires
Any .NET ecommerce packages using MVC and Linq?
How do I set the protocol when using RedirectToAction?
Boolean with html helper Hidden and HiddenFor
Learn asp.net mvc 3 from open source project

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!