"Nicole Calinoiu" wrote:

> "Mike Owen" <MikeO***@discussions.microsoft.com> wrote in message
> news:DB6F9A0D-6AA9-4337-939A-15ACE3D34FB2@microsoft.com...
> > Thanks for this Nicole.
> >
> > Is it the case then that I could have set the web site up to be both
> > secure
> > and non secure at the same time,
>
> Absolutely.  In IIS, applying an SSL certificate simply enables HTTPS, it
> doesn't require it.  You can enforce use of HTTPS for all or part of your
> site, but this is up to you.
>
>
> > and that when this has been done users could
> > go from the non secure to secure still using the same session state?
>
> In theory, yes.  However, it's not necessarily any better an idea to send
> session cookies over HTTP than it is to do the same with form authentication
> cookies.  If any data exposed via an existing session could be sensitive,
> then that session's cookie should not be sent over HTTP.
>
>
> >
> > Correct me if I am wrong, but would the above would mean that some of the
> > pages would be accessed via:
> >
> > http://shop.domainname.co.uk/Page*.aspx
> >
> > and some
> >
> > as https://shop.domainname.co.uk/Page*.aspx
> >
> > and I could switch between the 2 as long as I used literal urls, even if
> > the
> > user is logged in?
>
> Yes, but switching back to HTTP after the user has started working with
> potentially sensitive data over HTTPS is rarely a good idea.
>
> >
> > Using the same site for both seems like a good idea, if you think it will
> > work, but I am not sure that the transfer of all requests from the
> > unsecure
> > to secure would work too well, as the site is regulalry indexed by search
> > engines and we would not want to jeopardise this.
>
> Then perhaps it's worthwhile to invest in a second certificate for the
> "shop" address so that you can use both HTTP and HTTPS on the original site.
> Even though this will likely cost you a bit more money up front, it will
> most likely save you both time and money wrt site maintenance.
>
>
> >
> > I wait with bated breath for your answers on the above.
> >
> >
> > Thanks, mike.
> >
> > "Nicole Calinoiu" wrote:
> >
> >> If you're using forms authentication over HTTP, you've probably got a
> >> bigger
> >> problem than how to handle the credit card submission since the
> >> authentication ticket cookie is being transmitted in the clear.  Any
> >> information protected by the login is therefore available to anyone who
> >> can
> >> steal the cookie.   Your overall configuration would be far more secure
> >> if
> >> it were to use HTTPS as of the login (and only transmit the
> >> authentication
> >> cookie over HTTPS).  Since credit card submission would take place after
> >> login, it too would be covered.
> >>
> >> Also, use of two parallel sites is likely to cause some headaches you
> >> could
> >> probably do without (e.g.: no shared session state).  Things will be
> >> quite a
> >> bit easier if you use a single site.  Of course, if you've already
> >> purchased
> >> a certificate for the "secure" version of the site address, you probably
> >> won't want to switch over to using the "shop" version.  If the "shop"
> >> version is already in use, then eliminating it isn't much of an option
> >> either.  Your best bet might be to set up the "shop" site to simply
> >> redirect
> >> to the "secure" site so that folks entering the site using a "shop" URL
> >> will
> >> be automatically transfered to the actual site hosted under the "secure"
> >> address.
> >>
> >> Within the "secure" site, you could allow access via HTTP until the login
> >> page is hit.  However, the login page, and all pages used after login,
> >> should be accessed over HTTPS only.  This will work automatically if you
> >> use
> >> relative URLs everywhere but in the links to the login page.  For pages
> >> in
> >> which sensitive information (e.g.: the credit card number) is
> >> transmitted,
> >> it might be a good idea to enforce HTTPS use via IIS.  In addition, your
> >> web.config file should specify that the forms authentication cookie only
> >> be
> >> transmitted over HTTPS (use the requireSSL attribute for the forms
> >> authentication element as described at
> >> http://msdn.microsoft.com/library/en-us/cpgenref/html/gngrfauthenticationsection.asp).
> >>
> >> HTH,
> >> Nicole
> >>
> >>
> >> "Mike Owen" <MikeO***@discussions.microsoft.com> wrote in message
> >> news:2F1A340D-FCB8-4137-9B7A-148C68E32376@microsoft.com...
> >> >I have developed an application which all works fine, and runs under a
> >> >normal
> >> > non secure connection, e.g. http://shop.domainname.co.uk .
> >> >
> >> > I now want to run just a single page, that already exists in the
> >> > application, that asks user to enter credit card information, in a
> >> > secure
> >> > environment using SSL.
> >> >
> >> > I have set up a seperate site and secured it with a certificate.
> >> >
> >> > The main site is called shop.domainname.co.uk
> >> > , and
> >> > the secure site is called secure.domainname.co.uk
> >> >
> >> > Users currently have to log in to shop.domainname.co.uk using forms
> >> > authentication, to get to get to the point where they enter credit card
> >> > information.
> >> >
> >> > Is it possible without writing a load of new code, to just run the
> >> > credit
> >> > card entry page under the secure connection?, and if so how?
> >> >
> >> >
> >> > Thanks, Mike.
> >>
> >>
> >>
>
>
>