Secure only Login.aspx for a site

views:

872

answers:

+2 Q:

Secure only Login.aspx for a site

Hi,

Is it possible to secure only the Login.aspx page (and the postback) and not the whole site in IIS?
We are looking to do this specifically with a SharePoint site running Forms Based Authentication against our Active Directory.
Links to this will be helpful.

This is what we have done so far: 1. Setup SharePoint to use FBA against AD. 2. Moved Login Page to Secure/Login.aspx 3. Set the appropriate Login url in web.config as https://..../Secure/Login.aspx

This is not working and help is needed here. However even if this works, how do we get the user back to http from https?

Kind regards, Ashish Sharma

+3 A:

There's not a whole lot of point. If the only thing that's encrypted is the Login.aspx page, that would mean that someone could sniff all the traffic that was not sent through the login page.

Which might prevent people from getting user:pass, but all your other data is exposed.

Dan Williams 2008-09-25 18:22:45

Hi,Thanks for the reply.We don't want the data secured. We just need the user credentials secured as they are the AD credentials.

SharePoint Newbie 2008-09-25 18:43:20

Besides all the data which is exposed, and the user's operation which can be changed en route, the user's session id (or other authentication data) is sent in the clear. This means that an attacker can steal your cookie (...) and impersonate you to the system, even without getting your password. (If I remember correctly SPSv.3 also supports builtin password changing module...)
So I would say that this is not a Great Idea, unless you dont care about that system very much anyway.... But then, why bother with authentication at all? just make it anonymous?

AviD 2008-09-25 18:47:49

No, we have already disabled the Change Password functionality.

SharePoint Newbie 2008-09-26 06:33:13

So again, it should be okay only if the system is not sensitive, but again why bother with authentication at all?

AviD 2008-09-26 08:09:27

Why not just use NTLM authentication on the IIS website, won't that work?

spoon16 2008-09-25 22:40:39

We have a Squid reverse Proxy, which has issues with NTLM.Kerberos is not an option as we have to integrate with other consumer ADs.

SharePoint Newbie 2008-09-26 06:31:40

I agree with AviD and Dan Williams that securing only the login page isn't a great idea because it exposes other data after leaving the password page. However, you can require SSL for only the login.aspx page via the IIS Manger. If you navigate to the login.aspx page in IIS Manager (I believe it's under /_layouts), you can right-click on the individual file and select Properties. From there, go to the File Security tab and click on the Edit... button under Secure communications. There, you can check the Require secure channel (SSL) box, and SSL will be required for that page only.

I'm not positive about getting the user back to http from there, but I believe its default behavior is to send you to the requested page if the login is successful. If not, I would think you could customize where the login page sends you on a successful login.

Abs 2008-09-30 16:40:52

ansaurus

tags:

views:

answers:

Secure only Login.aspx for a site

related questions