|
 |
asp_web_howto thread: How do I force SSL ??
Message #1 by "Dilg, Jared (US - Hermitage)" <jdilg@d...> on Mon, 10 Dec 2001 09:38:25 -0600
|
|
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01C18190.B4F44FF6
Content-Type: text/plain
This should be a simple question. I just installed my company's site
certificate on my test IIS server and configured the site to use Basic
Authentication with our NT domain. I can access the site with SSL by
explicitly using https://, but if I type just the site name in a browser, it
will access the site using http and no SSL security. Is there a way to
force the use of SSL, and if so is it done with IIS settings or ASP code?
Jared Dilg
- This message (including any attachments) contains confidential information
intended for a specific individual and purpose, and is protected by law. -
If you are not the intended recipient, you should delete this message and
are hereby notified that any disclosure, copying, or distribution of this
message, or the taking of any action based on it, is strictly prohibited.
Message #2 by "Daniel O'Dorisio" <daniel@o...> on Mon, 10 Dec 2001 19:33:56 -0500
|
|
you can use the servervariables collection to see what port you are on.. if
it is 80, change to ssl.
daniel
--
-----------------------------
Daniel O'Dorisio
daniel@o...
www.odorisio-networks.com
-----------------------------
"Dilg, Jared (US - Hermitage)" <jdilg@d...> wrote in message
news:127673@a..._web_howto...
: This should be a simple question. I just installed my company's site
: certificate on my test IIS server and configured the site to use Basic
: Authentication with our NT domain. I can access the site with SSL by
: explicitly using https://, but if I type just the site name in a browser,
it
: will access the site using http and no SSL security. Is there a way to
: force the use of SSL, and if so is it done with IIS settings or ASP code?
:
: Jared Dilg
: - This message (including any attachments) contains confidential
information
: intended for a specific individual and purpose, and is protected by
aw. -
: If you are not the intended recipient, you should delete this message and
: are hereby notified that any disclosure, copying, or distribution of this
: message, or the taking of any action based on it, is strictly prohibited.
:
Message #3 by "Ken Schaefer" <ken@a...> on Tue, 11 Dec 2001 12:30:00 +1100
|
|
You can do it using ASP code, by checking the Request.ServerVariables
collection. THere is a variable called HTTPS or similar which returns a
value "ON" or "OFF". If it's off then just redirect the user.
Alternatively (the preferred way), in the IIS MMC you can use the Directory
Security tab and check the box that says "Require a Secure Connection" - you
can apply this to individual folders, files, or the whole website.
Cheers
Ken
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From: "Dilg, Jared (US - Hermitage)" <jdilg@d...>
Subject: [asp_web_howto] How do I force SSL ??
: This should be a simple question. I just installed my company's site
: certificate on my test IIS server and configured the site to use Basic
: Authentication with our NT domain. I can access the site with SSL by
: explicitly using https://, but if I type just the site name in a browser,
it
: will access the site using http and no SSL security. Is there a way to
: force the use of SSL, and if so is it done with IIS settings or ASP code?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Message #4 by "George Draper" <georgedraper@m...> on Mon, 10 Dec 2001 20:27:06 -0500
|
|
This is a multi-part message in MIME format.
------=_NextPart_000_0037_01C181B9.08F34CA0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
How do I force SSL ??There is a check box in the IIS settings to require
SSL for a particular portion of the site. It's in the directory
security area of the settings. If you don't require SSL, then you get
the behavior you experienced on your site.
- George
----- Original Message -----
From: Dilg, Jared (US - Hermitage)
To: ASP Web HowTo
Sent: Monday, December 10, 2001 10:38 AM
Subject: [asp_web_howto] How do I force SSL ??
This should be a simple question. I just installed my company's site
certificate on my test IIS server and configured the site to use Basic
Authentication with our NT domain. I can access the site with SSL by
explicitly using https://, but if I type just the site name in a
browser, it will access the site using http and no SSL security. Is
there a way to force the use of SSL, and if so is it done with IIS
settings or ASP code?
Jared Dilg
- This message (including any attachments) contains confidential
information intended for a specific individual and purpose, and is
protected by law. - If you are not the intended recipient, you should
delete this message and are hereby notified that any disclosure,
copying, or distribution of this message, or the taking of any action
based on it, is strictly prohibited.
$subst('Email.Unsub').
Message #5 by "craigw" <craigw@w...> on Tue, 11 Dec 2001 10:32:03
|
|
Because SSL sends messages in an encrypted format, data transfer is
slower, and so it is generally only used for sensitive data transfers like
password authentication. If you have a login page on your front page, it
can be redirected to https:// when you send the form - that gives you the
option of not forcing the use of SSL unless definately required.
> This message is in MIME format. Since your mail reader does not
understand
> this format, some or all of this message may not be legible.
>
> ------_=_NextPart_001_01C18190.B4F44FF6
> Content-Type: text/plain
>
> This should be a simple question. I just installed my company's site
> certificate on my test IIS server and configured the site to use Basic
> Authentication with our NT domain. I can access the site with SSL by
> explicitly using https://, but if I type just the site name in a
browser, it
> will access the site using http and no SSL security. Is there a way to
> force the use of SSL, and if so is it done with IIS settings or ASP
code?
>
> Jared Dilg
> - This message (including any attachments) contains confidential
information
> intended for a specific individual and purpose, and is protected by
law. -
> If you are not the intended recipient, you should delete this message and
> are hereby notified that any disclosure, copying, or distribution of this
> message, or the taking of any action based on it, is strictly prohibited.
>
> ------_=_NextPart_001_01C18190.B4F44FF6
> Content-Type: text/html
> Content-Transfer-Encoding: quoted-printable
>
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
> <HTML>
> <HEAD>
> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html;
> charset=3Dus-ascii">
> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version
> 5.5.2653.12">
> <TITLE>How do I force SSL ??</TITLE>
> </HEAD>
> <BODY>
>
> <P><FONT SIZE=3D2>This should be a simple question. I just
> installed my company's site certificate on my test IIS server and
> configured the site to use Basic Authentication with our NT
> domain. I can access the site with SSL by explicitly using <A
> HREF=3D"https://" TARGET=3D"_blank">https://</A>, but if I type just
> the site name in a browser, it will access the site using http and no
> SSL security. Is there a way to force the use of SSL, and if so
> is it done with IIS settings or ASP code? </FONT></P>
>
> <P><FONT SIZE=3D2>Jared Dilg</FONT>
> <BR><FONT SIZE=3D2>- This message (including any attachments) contains
> confidential information intended for a specific individual and
> purpose, and is protected by law. - If you are not the intended
> recipient, you should delete this message and are hereby notified that
> any disclosure, copying, or distribution of this message, or the taking
> of any action based on it, is strictly prohibited.</FONT></P>
>
> </BODY>
> </HTML>
> ------_=_NextPart_001_01C18190.B4F44FF6--
Message #6 by "Dilg, Jared (US - Hermitage)" <jdilg@d...> on Tue, 11 Dec 2001 09:39:27 -0600
|
|
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01C1825A.047C0815
Content-Type: text/plain
Thank you everyone for your replies! They're very helpful. Craig brought up
a very good point about the performance of SSL and restricting its use to
the login page, which is all I wanted it for. However if a user points their
browser to a secondary page on the site they will get a login prompt that
will pass their credentials insecurely. Should I then test against session
variables to see if the user should be redirected to the secure SSL login
page?? My site is internal to our department and will receive very little
traffic so going all SSL may be a more straightforward solution. What do
you all think?
Thanks again,
Jared Dilg
-----Original Message-----
From: Ken Schaefer [mailto:ken@a...]
Sent: Monday, December 10, 2001 7:30 PM
To: ASP Web HowTo
Subject: [asp_web_howto] Re: How do I force SSL ??
You can do it using ASP code, by checking the Request.ServerVariables
collection. THere is a variable called HTTPS or similar which returns a
value "ON" or "OFF". If it's off then just redirect the user.
Alternatively (the preferred way), in the IIS MMC you can use the Directory
Security tab and check the box that says "Require a Secure Connection" - you
can apply this to individual folders, files, or the whole website.
Cheers
Ken
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From: "Dilg, Jared (US - Hermitage)" <jdilg@d...>
Subject: [asp_web_howto] How do I force SSL ??
: This should be a simple question. I just installed my company's site
: certificate on my test IIS server and configured the site to use Basic
: Authentication with our NT domain. I can access the site with SSL by
: explicitly using https://, but if I type just the site name in a browser,
it
: will access the site using http and no SSL security. Is there a way to
: force the use of SSL, and if so is it done with IIS settings or ASP code?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$subst('Email.Unsub').
- This message (including any attachments) contains confidential information
intended for a specific individual and purpose, and is protected by law. -
If you are not the intended recipient, you should delete this message and
are hereby notified that any disclosure, copying, or distribution of this
message, or the taking of any action based on it, is strictly prohibited.
|
|
|
View Cart
