CODEWITHSUNDEEP
asp.netsecurityssl
Tono Nam
Tono Nam

Reputation: 36048

Considerations to think when going from HTTP to HTTPS

I know very little about SSL so I have a few questions before migrating to HTTPS.

So been doing a lot of reading and now I understand the public and private key exchange. Client and server exchange asymetric keys so that at the end they can have symmetric keys.

Here are a few questions:

  1. Once the user provides his username and password and credentials are ok I will save that user in the session. Context.Session["user"] . On all future pages I will make sure Context.Session["user"] is NOT null in order to render the page. This will be safe?

  2. Clients will not be only web browsers also console applications. How can I prevent the console application from having to exchange keys every time they do a request? Is there a way I can prevent some pages to be accessed through https and be accessed through http?

  3. I belive it is essential to mantain a session otherwise for every request I will have to wait for the exchange of keys? Having saved if the user is logged in in the database instead of the session a bad idea?

Upvotes: 0

Views: 44

Answers (2)

Andrew Morton
Andrew Morton

Reputation: 25013

Partial answer:

  1. Yes. You might want to do the check in a master page, if you are using one, to make sure that you do not forget to do the check.

  2. You can easily switch between http and https for specific pages by using SecuritySwitch. It has worked flawlessly in my testing so far.

Upvotes: 1

Anton Levshunov
Anton Levshunov

Reputation: 408

If you use microsoft asp.net in correct way then SSL is very transparent. Also do not use self signed certificates for SSL, it's not a good idea. Also some WCF services will need to be reconfigured for use SSL.

  1. Is not a best idea to store user info in session instead of a cookies. But any way it works fine. It will work correctly in ssl also.

  2. Based on the console application. If root (or server) certificate will be in trusted root list and the console application was written with .NET and use WebRequest or WCF - there will be no any issues. Also you can try to accept all certificates with ServicePointManager.ServerCertificateValidationCallback = delegate { return true; }; But in case when your application used Sockets or something similar - you will have a problems, maybe.

  3. It's very fast and transparent process of key exchange. Don't worry about it extra.

Anyway you can configure your IIS and application to have access to http from trusted areas only and to https for any another places.

Upvotes: 1

Related Questions