tags:

views:

27

answers:

1
Q: 

deploying asp.net MVC 1.0 app with HTTPS

We have an application built on ASP.NET MVC 1.0 which, once deployed, should be accessed with HTTPS. I tried few approaches for HTTPS but I have a few questions.:

  1. My home page does not need to be Secured (HTTPS), but rest of the hyperlinks following it will be Secured.

  2. I read about the action method attribute [requiresHTTPS] however I want to understand what happens to that tag during development on local machine.

  3. In a development enviroment, how do I install a certificate on a dev machine/virtual directory to code and test my changes.

So this application is complex in nature and we have around 13 controllers and 50 action methods. This application will have information like Credit card numbers since we do accept payment through this website.

Thanks much !

A: 

If it is just about a few static pages of your application that don't need to be secured, I would strongly recommend to simply require SSL for everything by configuring two different sites in IIS, one for the actual page only on port 443, one on port 80 with a permanent redirect.

Advantages:

  • Your application and code doesn't have to know anything about SSL, and you don't need a SSL certificate on your dev machine. The web server does it all for you.
  • No cookie and HTTP caching mess with the HTTP/HTTPS flip-flop
  • If security/privacy matters, it's the best solution anyway to require SSL for all pages.

Regarding the possible disadvantage: serving a few requests on static resources via SSL is probably almost no overhead, compared to the rest of your application.

markus  2010-08-19 15:21:54
I just updated the information on my question. Please suggest me now on the approach.
amit  2010-08-20 04:02:55
I guess my suggestion is still valid. Actually the question is: why would people want to run only parts of their web sites via HTTPS and the rest without? That's because SSL adds a little CPU overhead to every request. This was significant 10 years ago, and today, if you need 50 machines running your applications you could maybe save 5% of them if you use HTTPS only on selected pages, but honestly, most of the webservers out there are idle anyway most of the time, and the bottleneck for the typical web server today is not CPU, but memory and I/O in case of the database.
markus  2010-08-20 08:36:54
Well we only have 1 (home page) which need not be secured. Rest all of them are sercured and this recomendation is from the client. Now they also dont want another virtual directory to be created for single page.
amit  2010-08-21 05:58:14

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps