Can you have one page in a .NET application that is https but the rest be http? For instance, just the login page? Does this take extra setup in the application or is it just as simple as an IIS setting?
A:
I believe you could set a folder to require https within IIS, but not a single page easily. Within the code for that single page, you could enforce a check to use SSL and on all the other pages enforce that SSL isn't used, but that seems like a lot of work for little gain to my mind.
JB King
2009-12-17 19:51:37
+1
A:
There is no native way to do this in IIS or even in the web.config that I know of.
However, this can be done in code.
Steve Wortham
2009-12-17 19:53:52
+9
A:
Yes you can. I recommend this free open source DLL that lets you designate which pages and folders need SSL and which don't:
http://www.codeproject.com/KB/web-security/WebPageSecurity_v2.aspx
So you can setup a page to be secure in your web.config like this:
<secureWebPages encryptedUri="www.example.com" unencryptedUri="www.example.com" mode="RemoteOnly" >
<files>
<add path="/MustBeSecure.aspx" secure="Secure" />
</files>
</secureWebPages>
Keltex
2009-12-17 19:54:27
+1 learn something new every day...
Dave Swersky
2009-12-17 19:56:20
A:
I don't know if I would recommend it or not, but many web applications are split into two applications, one for the login application, and one for the rest of the application that relies on the authentication being performed by the other app. If you think of how an OpenID application such as stackoverlow redirects you to another site to login, that might work for your situation..
MattMcKnight
2009-12-17 19:58:40