locked
problem with SSL RRS feed

  • Question

  • User-908650885 posted

    Hi friends,

    I was reading following article from msdn, have a question about this, plz share with me ur idea,

    The SessionID is sent between the server and the browser in clear text, either in a cookie or in the URL. As a result, an unwanted source could gain access to the session of another user by obtaining the SessionID value and including it in requests to the server. If you are storing private or sensitive information in session state, it is recommended that you use SSL to encrypt any communication between the browser and server that includes the SessionID. Direct Link

    my website is a shopping website, so I enable SSL by this on web.config on form authentication element:

    requireSSL="true"

    it gave this error:

    The application is configured to issue secure cookies. These cookies require the browser to issue the request over SSL (https protocol).
    However, the current request is not over SSL.

    on this line:

    FormsAuthentication.RedirectFromLoginPage(Login1.UserName, Login1.RememberMeSet);

    I saw this link:

    http://weblogs.asp.net/scottgu/tip-trick-enabling-ssl-on-iis7-using-self-signed-certificates

    do u think I have to use this way to enable ssl on my website?

    or u think its no need at all?

    I became little bit confused :|

    Tuesday, June 17, 2014 11:10 AM

Answers

All replies

  • User-2010311731 posted

    In the article you reference, it says...

    The good news is that IIS 7.0 makes it radically easier to configure and enable SSL.  IIS 7.0 also now has built-in support for creating "Self Signed Certificates" that enable you to easily create test/personal certificates that you can use to quickly SSL enable a site for development or test purposes.

    It is a good idea to test a secure site with a self-signed certificate.  When you go to production, you should purchase a professional certificate (like VeriSign or Symantec) or your users will get a warning that your site may not be secure.

    Matt

    Tuesday, June 17, 2014 1:39 PM
  • User-908650885 posted

    yes you are right I forgot to add that my purchase operation directlty is via bank gateway. and of course bank gateway uses SSL.

    with this assume do u recommend again that I use SSL?

    becoz I have'nt seen before any shopping website start with https.

    or maybe I am thinking wrong I dont know

    Tuesday, June 17, 2014 2:20 PM
  • User-2010311731 posted

    You don't necessarily have to have every page secured, but you should secure login pages and the checkout where you might be transmitting sensitive data like username, password, email, address, credit card #, etc.  For example, Amazon's home page is http, but if you click Log In, it turns to https.

    Matt

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, June 17, 2014 3:20 PM
  • User-908650885 posted

    ok now I got your mean. ok I will do what you said.

    and one more question is how can we specific https to a desire page?

    is that possible with windows IIS as I refer the link earlier?

    Tuesday, June 17, 2014 4:23 PM
  • User-2010311731 posted

    Take a look at SecuritySwitch...

    http://code.google.com/p/securityswitch/wiki/GettingStarted

    Here is the original article that gives more details...

    http://www.codeproject.com/Articles/7206/Switching-Between-HTTP-and-HTTPS-Automatically-Ver

    Matt

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, June 18, 2014 10:37 AM
  • User-908650885 posted

    my bad luck its telling to me Request not allowed from your country.

    would u please email me that page or attach project , if possible.

    thanks for for your help on this topic AZMatt

    Wednesday, June 18, 2014 2:27 PM