Home All Groups Group Topic Archive Search About

A single page from an existing application under SSL?

microsoft.public.dotnet.security
Author
17 Mar 2005 8:13 AM
Mike Owen
I have developed an application which all works fine, and runs under a normal
non secure connection, e.g. http://shop.domainname.co.uk .

I now want to run just a single page, that already exists in the
application, that asks user to enter credit card information, in a secure
environment using SSL.

I have set up a seperate site and secured it with a certificate.

The main site is called shop.domainname.co.uk
, and
the secure site is called secure.domainname.co.uk

Users currently have to log in to shop.domainname.co.uk using forms
authentication, to get to get to the point where they enter credit card
information.

Is it possible without writing a load of new code, to just run the credit
card entry page under the secure connection?, and if so how?


Thanks, Mike.

Author
17 Mar 2005 1:55 PM
Nicole Calinoiu
If you're using forms authentication over HTTP, you've probably got a bigger
problem than how to handle the credit card submission since the
authentication ticket cookie is being transmitted in the clear.  Any
information protected by the login is therefore available to anyone who can
steal the cookie.   Your overall configuration would be far more secure if
it were to use HTTPS as of the login (and only transmit the authentication
cookie over HTTPS).  Since credit card submission would take place after
login, it too would be covered.

Also, use of two parallel sites is likely to cause some headaches you could
probably do without (e.g.: no shared session state).  Things will be quite a
bit easier if you use a single site.  Of course, if you've already purchased
a certificate for the "secure" version of the site address, you probably
won't want to switch over to using the "shop" version.  If the "shop"
version is already in use, then eliminating it isn't much of an option
either.  Your best bet might be to set up the "shop" site to simply redirect
to the "secure" site so that folks entering the site using a "shop" URL will
be automatically transfered to the actual site hosted under the "secure"
address.

Within the "secure" site, you could allow access via HTTP until the login
page is hit.  However, the login page, and all pages used after login,
should be accessed over HTTPS only.  This will work automatically if you use
relative URLs everywhere but in the links to the login page.  For pages in
which sensitive information (e.g.: the credit card number) is transmitted,
it might be a good idea to enforce HTTPS use via IIS.  In addition, your
web.config file should specify that the forms authentication cookie only be
transmitted over HTTPS (use the requireSSL attribute for the forms
authentication element as described at
http://msdn.microsoft.com/library/en-us/cpgenref/html/gngrfauthenticationsection.asp).

HTH,
Nicole


Show quote
"Mike Owen" <MikeO***@discussions.microsoft.com> wrote in message
news:2F1A340D-FCB8-4137-9B7A-148C68E32376@microsoft.com...
>I have developed an application which all works fine, and runs under a
>normal
> non secure connection, e.g. http://shop.domainname.co.uk .
>
> I now want to run just a single page, that already exists in the
> application, that asks user to enter credit card information, in a secure
> environment using SSL.
>
> I have set up a seperate site and secured it with a certificate.
>
> The main site is called shop.domainname.co.uk
> , and
> the secure site is called secure.domainname.co.uk
>
> Users currently have to log in to shop.domainname.co.uk using forms
> authentication, to get to get to the point where they enter credit card
> information.
>
> Is it possible without writing a load of new code, to just run the credit
> card entry page under the secure connection?, and if so how?
>
>
> Thanks, Mike.
Author
18 Mar 2005 7:07 PM
Mike Owen
Thanks for this Nicole.

Is it the case then that I could have set the web site up to be both secure
and non secure at the same time, and that when this has been done users could
go from the non secure to secure still using the same session state?

Correct me if I am wrong, but would the above would mean that some of the
pages would be accessed via:

http://shop.domainname.co.uk/Page*.aspx

and some

as https://shop.domainname.co.uk/Page*.aspx

and I could switch between the 2 as long as I used literal urls, even if the
user is logged in?

Using the same site for both seems like a good idea, if you think it will
work, but I am not sure that the transfer of all requests from the unsecure
to secure would work too well, as the site is regulalry indexed by search
engines and we would not want to jeopardise this.

I wait with bated breath for your answers on the above.


Thanks, mike.

Show quote
"Nicole Calinoiu" wrote:

> If you're using forms authentication over HTTP, you've probably got a bigger
> problem than how to handle the credit card submission since the
> authentication ticket cookie is being transmitted in the clear.  Any
> information protected by the login is therefore available to anyone who can
> steal the cookie.   Your overall configuration would be far more secure if
> it were to use HTTPS as of the login (and only transmit the authentication
> cookie over HTTPS).  Since credit card submission would take place after
> login, it too would be covered.
>
> Also, use of two parallel sites is likely to cause some headaches you could
> probably do without (e.g.: no shared session state).  Things will be quite a
> bit easier if you use a single site.  Of course, if you've already purchased
> a certificate for the "secure" version of the site address, you probably
> won't want to switch over to using the "shop" version.  If the "shop"
> version is already in use, then eliminating it isn't much of an option
> either.  Your best bet might be to set up the "shop" site to simply redirect
> to the "secure" site so that folks entering the site using a "shop" URL will
> be automatically transfered to the actual site hosted under the "secure"
> address.
>
> Within the "secure" site, you could allow access via HTTP until the login
> page is hit.  However, the login page, and all pages used after login,
> should be accessed over HTTPS only.  This will work automatically if you use
> relative URLs everywhere but in the links to the login page.  For pages in
> which sensitive information (e.g.: the credit card number) is transmitted,
> it might be a good idea to enforce HTTPS use via IIS.  In addition, your
> web.config file should specify that the forms authentication cookie only be
> transmitted over HTTPS (use the requireSSL attribute for the forms
> authentication element as described at
> http://msdn.microsoft.com/library/en-us/cpgenref/html/gngrfauthenticationsection.asp).
>
> HTH,
> Nicole
>
>
> "Mike Owen" <MikeO***@discussions.microsoft.com> wrote in message
> news:2F1A340D-FCB8-4137-9B7A-148C68E32376@microsoft.com...
> >I have developed an application which all works fine, and runs under a
> >normal
> > non secure connection, e.g. http://shop.domainname.co.uk .
> >
> > I now want to run just a single page, that already exists in the
> > application, that asks user to enter credit card information, in a secure
> > environment using SSL.
> >
> > I have set up a seperate site and secured it with a certificate.
> >
> > The main site is called shop.domainname.co.uk
> > , and
> > the secure site is called secure.domainname.co.uk
> >
> > Users currently have to log in to shop.domainname.co.uk using forms
> > authentication, to get to get to the point where they enter credit card
> > information.
> >
> > Is it possible without writing a load of new code, to just run the credit
> > card entry page under the secure connection?, and if so how?
> >
> >
> > Thanks, Mike.
>
>
>
Author
18 Mar 2005 7:28 PM
Nicole Calinoiu
"Mike Owen" <MikeO***@discussions.microsoft.com> wrote in message
news:DB6F9A0D-6AA9-4337-939A-15ACE3D34FB2@microsoft.com...
> Thanks for this Nicole.
>
> Is it the case then that I could have set the web site up to be both
> secure
> and non secure at the same time,

Absolutely.  In IIS, applying an SSL certificate simply enables HTTPS, it
doesn't require it.  You can enforce use of HTTPS for all or part of your
site, but this is up to you.


> and that when this has been done users could
> go from the non secure to secure still using the same session state?

In theory, yes.  However, it's not necessarily any better an idea to send
session cookies over HTTP than it is to do the same with form authentication
cookies.  If any data exposed via an existing session could be sensitive,
then that session's cookie should not be sent over HTTP.


>
> Correct me if I am wrong, but would the above would mean that some of the
> pages would be accessed via:
>
> http://shop.domainname.co.uk/Page*.aspx
>
> and some
>
> as https://shop.domainname.co.uk/Page*.aspx
>
> and I could switch between the 2 as long as I used literal urls, even if
> the
> user is logged in?

Yes, but switching back to HTTP after the user has started working with
potentially sensitive data over HTTPS is rarely a good idea.

>
> Using the same site for both seems like a good idea, if you think it will
> work, but I am not sure that the transfer of all requests from the
> unsecure
> to secure would work too well, as the site is regulalry indexed by search
> engines and we would not want to jeopardise this.

Then perhaps it's worthwhile to invest in a second certificate for the
"shop" address so that you can use both HTTP and HTTPS on the original site.
Even though this will likely cost you a bit more money up front, it will
most likely save you both time and money wrt site maintenance.


Show quote
>
> I wait with bated breath for your answers on the above.
>
>
> Thanks, mike.
>
> "Nicole Calinoiu" wrote:
>
>> If you're using forms authentication over HTTP, you've probably got a
>> bigger
>> problem than how to handle the credit card submission since the
>> authentication ticket cookie is being transmitted in the clear.  Any
>> information protected by the login is therefore available to anyone who
>> can
>> steal the cookie.   Your overall configuration would be far more secure
>> if
>> it were to use HTTPS as of the login (and only transmit the
>> authentication
>> cookie over HTTPS).  Since credit card submission would take place after
>> login, it too would be covered.
>>
>> Also, use of two parallel sites is likely to cause some headaches you
>> could
>> probably do without (e.g.: no shared session state).  Things will be
>> quite a
>> bit easier if you use a single site.  Of course, if you've already
>> purchased
>> a certificate for the "secure" version of the site address, you probably
>> won't want to switch over to using the "shop" version.  If the "shop"
>> version is already in use, then eliminating it isn't much of an option
>> either.  Your best bet might be to set up the "shop" site to simply
>> redirect
>> to the "secure" site so that folks entering the site using a "shop" URL
>> will
>> be automatically transfered to the actual site hosted under the "secure"
>> address.
>>
>> Within the "secure" site, you could allow access via HTTP until the login
>> page is hit.  However, the login page, and all pages used after login,
>> should be accessed over HTTPS only.  This will work automatically if you
>> use
>> relative URLs everywhere but in the links to the login page.  For pages
>> in
>> which sensitive information (e.g.: the credit card number) is
>> transmitted,
>> it might be a good idea to enforce HTTPS use via IIS.  In addition, your
>> web.config file should specify that the forms authentication cookie only
>> be
>> transmitted over HTTPS (use the requireSSL attribute for the forms
>> authentication element as described at
>> http://msdn.microsoft.com/library/en-us/cpgenref/html/gngrfauthenticationsection.asp).
>>
>> HTH,
>> Nicole
>>
>>
>> "Mike Owen" <MikeO***@discussions.microsoft.com> wrote in message
>> news:2F1A340D-FCB8-4137-9B7A-148C68E32376@microsoft.com...
>> >I have developed an application which all works fine, and runs under a
>> >normal
>> > non secure connection, e.g. http://shop.domainname.co.uk .
>> >
>> > I now want to run just a single page, that already exists in the
>> > application, that asks user to enter credit card information, in a
>> > secure
>> > environment using SSL.
>> >
>> > I have set up a seperate site and secured it with a certificate.
>> >
>> > The main site is called shop.domainname.co.uk
>> > , and
>> > the secure site is called secure.domainname.co.uk
>> >
>> > Users currently have to log in to shop.domainname.co.uk using forms
>> > authentication, to get to get to the point where they enter credit card
>> > information.
>> >
>> > Is it possible without writing a load of new code, to just run the
>> > credit
>> > card entry page under the secure connection?, and if so how?
>> >
>> >
>> > Thanks, Mike.
>>
>>
>>

AddThis Social Bookmark Button

Post Other interesting topics
Error instantiating RSACryptoServiceProvider
Error from CAS Config util
Newbie error on output
Running programs located on server
Custom IPrincipal and declarative security checking