C# – Setting up SSL page only on login page

asp.netciis

I want to set up SSL page for only login page. How can I do it? I a referring this article:

http://weblogs.asp.net/scottgu/archive/2007/04/06/tip-trick-enabling-ssl-on-iis7-using-self-signed-certificates.aspx

But this link sets up SSL on whole website which is never advisable. How can I just enable it for login page or other pages where secure information is needed. I am using IIS 7.5, Asp.Net 4.0

Best Answer

One simple way is to check if the page is secure when you entering the login page, and after the login to redirect him on a non secure page.

You can check if the page is secure by using this command 

HttpContext.Current.Request.IsSecureConnection

The IsSecureConnection, actually check if the url starts with https://

For exampe, if you add this on login page, on PageLoad or on init can do the work

if(!HttpContext.Current.Request.IsSecureConnection)
{
  Response.Redirect(Request.Url.Replace("http://","https://"),true);
  return;
}

But then you need to redirect him to the non secure page when you leave the login page.

One more complex way, but more sure, is to use a code that check not only one page, but all pages base on rules. I suggest this code that I personally use :

http://www.codeproject.com/KB/web-security/WebPageSecurity_v2.aspx
and
http://code.google.com/p/securityswitch/

Ps The SSL is run in parallel with the non ssl pages, on different port. Its up to you where to navigate your users. So there is not "only one page ssl" option.

Related Topic