A colleague and I had a heated debate yesterday whether it is safe to send login credentials via URL parameters as a means of authentication. He correctly pointed out that HTTPS encrypts all non-hostname/port characters in a URL before sending a request to the server side. However, I still think there are edge cases here where it is po...
Assuming a single page application accessed initially via HTTP that uses AJAX for all server interaction, is it possible to use HTTP for regular data transfers and then switch to AJAXian HTTPS requests for secure data transfers? If so, how would the browser handle the certificate and locking notification when a HTTPS AJAX request was ...
I am writing a very simple web service for my iPhone app. Let's say this is a http page that returns a random number at http://mysite/getRand. How do I ensure that this page can only be accessed from my iPhone app and not from other clients? I've thought of doing some simple password mechanism but that can easily be sniffed by capturing ...
We have the following example "ugly" URL: https://some.uglyurl.com/directory/test.jsp?hotelid=1111&rateplanid=33333 we need to direct our customers to the above URL using our own domains URL as the address - so it would look something like: https://www.PrettyURL.com/reservations?hotelid=1111&rateplanid=33333 The idea being ...
Background info: We are a small company with a Microsoft server ISA 2000 configured by an external technician for our company network. Though computer professionals, web hosting and networking is NOT our strength! Our ISP uses Parallels Business Automation - Control Panel (Plesk?) to allow us to administer our websites. We are given a UR...
hi, i am trying to access a https wcf service from silverlight. the clientaccesspolicy is placed on service root and i have validated through silverlightspy its showing it as valid and calls allowed. i am able to call that webservice successfully from desktop client but when tries to call from silverlight it throws an error that call to ...
I've setup a website for IIS compression, but it doesn't appear to be working for HTTPS, just HTTP. Is there something that needs to be configured to get this to work, or does this not work in IIS? What options are there? UPDATE: According to this the compression is occurring before the encryption. If compression is occurring for SSL re...
What is difference between https protocol and SSL Certificate that we use in web browser? Aren't both of these used to encrypt communication between client (browser) and server? ...
We have been using ServerXMLHTTP to send https POST's for credit card processing. Recently one of our users experienced a problem resulting in the error "An internal error occurred in the Microsoft Windows HTTP Services". The problem was resolved by updating IE. Now the user is claiming that our use of "internet explorer dll's" is a s...
I'm working on a small website for a local church. The site needs to allow administrators to edit content and post new events/updates. The only "secure" information managed by the site will be the admins' login info and a church directory with phone numbers and addresses. How at risk would I be if I were to go without SSL and just hav...
I have a site with an SSL cert for www.foo.com. What is the cleanest way redirect requests to the https:// prefix? Do I have to build links server side instead of relying on resolving urls with relative paths, ~/? Also, say I redirect to an https:// page, the links on the page are all created in a master page and are resolved with r...
Suppose I setup a simple php web server with a page that can be accessed by https. The url has simple parameters like https://www.example.com/test?abc=123. Is it true that the parameter here in this case will be safe from people sniffing the packets? And would this be true if the server does not employ any SSL certificate? ...
I'm allowing authenticated users to upload image files with my PHP application. Assume I've built in the necessary security to make sure the file itself is valid, is there a possibility of the http transmitted file to be intercepted in some way? If so, how can I protect the transmission of the file? Would HTTPS be the way to go? Also, ...
Hi Guys, I am trying to download a file over HTTPS and I just keep running into a brick wall with correctly setting Cookies and Headers. Does anyone have/know of any code that I can review for doing this correctly ? i.e. download a file over https and set cookies/headers ? Thanks! ...
I currently need to have 2 subdomains under the same domain under SSL. Both subdomains (www and affiliate) are on the same IIS server, under the same IP, and each one has specified a host header value (www.mydomain.com and affiliate.mydomain.com) The first subdomain (www), which is the default, works great, with and without SSL. The sec...
I'm wondering if there is a way to ensure that an ASP.NET application can only be run using the HTTPS protocol I'm fine with any code (defensive programming measure perhaps?) that can do the trick, or possibly some IIS/web server setting that can get the job done. ...
I'm looking at a web application with a Response.Redirect between two Https pages. I would assume normally that the query string parameters aren't visible for https requests because of the secure connection. However, since the Response.Redirect sends back the 302 - Object Moved response in between the two pages along with query string va...
I have the following simple code to connect to a SSL webpage NSMutableURLRequest *urlRequest=[NSMutableURLRequest requestWithURL:url]; [ NSURLConnection sendSynchronousRequest: urlRequest returningResponse: nil error: &error ]; Except it gives an error if the cert is a self signed one Error Domain=NSURLErrorDomain Code=-1202 UserInfo=...
I want to use SSL (https) to secure communication. Is it possible to do it without buying a certificate of some sort? ...
As far as I can tell, there are no unsecure items --- when I browse to the site with IE7 or FireFox 3 I don't get any such warning, but if I hit the site with IE6 I get the security informaiton dialog box "This page contains both secure and nonsecure items Do you want to display te nonsecure items?" How can I track down the cause of tha...