Reputation: 10703
disable ssl for a specific page
ENVIRONMENT
IIS 6
.NET 3.5 (WEB FORMS
For various reason I would like to turn of SSL at a page level. Is this best practice? what should I look out for while I am doing this? What is considered the safest way to do this? The way I was going to do this was
right click on the page-> navigate to properties-> click file security->then uncheck require secure channel.
Will this effect other pages. Any help would be great thank you
Upvotes: 1
Views: 3114
Answers (1)
Reputation: 56769
Note: I am using .aspx to represent ASP.Net pages, but the following should apply in general.
Even if you uncheck require secure channel, I believe it will still use the secure channel (because you are telling it SSL is not required, but that doesn't mean it can't still use SSL). For instance, if you navigate from secure_page1.aspx to unsecure_page2.aspx, it will navigate over HTTPS (or whatever protocol the first page used) by default, i.e., it won't automatically switch from HTTPS to HTTP when you click the particular page link. The only way to do that is with absolute url links, i.e., on https://www.mydomain.com/secure_page1.aspx, you have a link on the page that says:
<a href="http://www.mydomain.com/unsecure_page2.aspx">Link to unsecure page</a>
Personally, I would recommend that if a website requires any SSL pages, that the whole website be SSL, or entire sections of it (say the ordering system) be SSL rather than just individual pages that need to be secure. A big gotcha here is to remember that any page that will send critical info must be SSL before the user enters the form. For instance, don't make Login.aspx non-SSL, then Login-Post.aspx (the form post action url) SSL, because that is not secure.
I must admit I have done a project where the website was a mix of HTTP and HTTPS, and we wanted to force the user's browser to use the protocol we wanted. The main reason for this is that HTTP pages are more efficient both on the server and browser than HTTPS, because the encryption adds overhead to each request. I used the following (hackish) method for that project:
- Every redirect / link is channeled through a helper method that is aware of which pages are supposed to be viewed as HTTP vs. HTTPS (this works only if you are using some server-side code, otherwise you will have to update all the links manually.)
- If navigating from same protocol to same protocol (HTTP -> HTTP, HTTPS -> HTTPS), just emit / redirect normally (i.e., relative link)
- If navigating from HTTP -> HTTPS, just emit / redirect normally, except use an absolute URL to change the protocol.
- If navigating from HTTPS -> HTTP... this is the really hard one, because most browsers will display a warning message to the user if you just emit an absolute url link with the protocol change. You have to use a META-Refresh redirect.
I use a redirection helper page redirect.aspx?url=unsecure_page2.aspx, which basically emits a meta tag like this:
<meta http-equiv="refresh" content="0;url=http://www.mydomain.com/unsecure_page2.aspx">
You are being redirected to http://www.mydomain.com/unsecure_page2.aspx.
If you aren't redirected in 5 seconds, please click <a href="http://www.mydomain.com/unsecure_page2.aspx">here</a>.
Then when you are on https://www.mydomain.com/secure_page1.aspx, and you want to redirect to unsecure_page2.aspx, you use the redirect helper:
See unsecure page <a href="redirect.aspx?url=unsecure_page2.aspx">here</a>!
Upvotes: 1
Related Questions
- Enabling SSL on specific pages. IIS Express and VS 2010
- HTTPS for only one ASP.NET page (Login.aspx), HTTP always for rest of site
- How to Require SSL on a specific Page Type but not on the parent page
- How to restrict specific pages to Certificate Authentication?
- Limiting traffic to SSL version of page only
- Forcing SSL (https) on a page by page basis
- How do I make my ASP.NET application serve pages only over HTTPS?
- Enable and Enforce SSL but allow independent ASPX page to use SSL
- Setting up SSL page only on login page
- Ensure page is only accessed via SSL