tags:

views:

555

answers:

4

The site needs to be accessible both from HTTP and HTTPS (in case the client wants the form submissions to be secure or not)

The site is hosted in IIS6 and ideally I'd like to be able to just have one website in there and it can handle both http and https..is this possible?

alternatively i was thinking maybe creating a "secure" subdirectory in the site and duplicating everything in there as well..is that feasible?

this is further complicated that it is using asp.net 3.5's routing ability to do url rewrites so even if I create a secure subdirectory, i dunno if it will actually pick up that it's supposed to be SSL approved

A: 

It is possible. There is a checkbox on the security settings that allows you to "Require ssl" for connections. It is then up to you to manage transitions between https and http with redirects or links.

More information on this here. Just skip step 6.

Joel Potter
A: 

I m not sure about iis 6 but in iis 7 you select the site and go to bindings and click add select https it will automaticaly chose port 443 and then chose your ssl cerificate

Yassir
A: 

You can have IIS 6 & IIS7 operate the same site with https as well as http. In IIS 6 there is a restriction that you can't use host headers. So you'll need a dedicated IP address for it. Simply bind it to the ip address and then setup the cert. Don't use the "require https" and just enforce it in the sections of your application that you want.

Martin Murphy
You actually can use host headers with IIS6, but you have to mess around a bit. In IIS7 there is still no gui support for using host headers, but it's a little easier to configure... just a little easier.
Joel Potter
You can either enforce SSL via code in your page or through IIS directly on the page or folder level. I worked somewhere where someone who setup our site(s) didn't know this and split the SSL site off into its own separate website, what a pain that was.
Sneal
Due to the nature of SSL, you cannot use name based virtual hosts unless you use a different IP+port combination. SSL has been extended to overcome this limitation (http://tools.ietf.org/html/rfc3546) but you need that both server *and* browser support this and as far as I know it's still not widely implemented (http://en.wikipedia.org/wiki/Server_Name_Indication).
Álvaro G. Vicario
A: 

This is all very possible but,

The site needs to be accessible both from HTTP and HTTPS (in case the client wants the form submissions to be secure or not)

If you have the capability for them to use SSL I wouldn't give them a choice. Just make them use it. Most users don't know the difference between secure and unsecure connections or even why they should care. Just force everyone to use a secure connection for form submissions.

alternatively i was thinking maybe creating a "secure" subdirectory in the site and duplicating everything in there as well..is that feasible?

Yes but what is far more common is to have a secure sub domain. Check out most shopping sites and while you're browsing products and such you'll be looking at www.someshoppingsite.com. The moment you begin checking out you'll be forwarded to secure.someshoppingsite.com. If you create an SSL subfolder I guarantee you at some point it will be disabled accidentally and no one will notice for weeks.

Spencer Ruport