tags:

views:

145

answers:

2
+2  Q: 

ASP.NET Membership Force HTTPS on PostBack

I have a login form on the home page of an ASP.NET 3.5 website which for performance reasons needs to be accessed with a standard HTTP connection. Since the normal postback for an ASP.NET page is relative call for the post, it would mean that when the browser posts the values are sent unprotected.

I would like to do one of two things to make this secure:

  1. Force the Postback to be secure to the same page
  2. Send the post to a different page using an HTTPS connection

Is there a way to implement option one?

I'm also looking at the Authentication Service, but looking at the URL reference it is using a relative path:

Sys.Services._AuthenticationService.DefaultWebServicePath = '../Authentication_JSON_AppService.axd';

I don't see a way to override this to put in an HTTP path.

+1  A: 

You can change the form's action property with javascript to tell it to submit to a different page with https. I have done this and it works nicely.

You could also change it to submit to the same page with https, but I think asp.net would complain about that (not sure - never tried it).

sample script:

document.forms[0].action = "https://www.whatever.com/submit_page.aspx";
Ray  2010-02-18 19:05:36
Could you point me to working version of this approach? I'd like to avoid writing a custom JavaScript function because of extra testing needed.
Josh  2010-02-18 20:40:25
I can't show you mine, but the script is pretty simple - I edited my answer, since it doesn't display well in the comment.
Ray  2010-02-18 20:53:45
Ray, are you doing this with an ASP.NET 3.5 Web Forms? I receive a viewstate validation error I tried that approch. Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.
Josh  2010-02-18 21:42:51
Actually, the page where I use this posts to an HttpHandler so there is no view state validation on the receiving end. If you are posting back to the same page, then you may not be able to do it. You could try turning off view state and page validation to see what happens.
Ray  2010-02-18 22:25:35
I had to set enableViewStateMac for it to work. Matt Sollars had a similar recommendation only via server side coding, URL: http://www.codeproject.com/KB/web-security/WebPageSecurity_v2.aspx?msg=3373744#xx3373744xx
Josh  2010-02-18 22:30:56
+2  A: 

You could use Cross-Page posting:

http://msdn.microsoft.com/en-us/library/ms178139.aspx

Nissan Fan  2010-02-18 19:32:17
Wouldn't Cross-Page posting go to a different page? I'm trying to keep on the same page because I have to send validation and error messages back on the same page.
Josh  2010-02-18 19:55:53

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps