1

I found this link Best way in asp.net to force https for an entire site? and it redirects the whole site to https.

I only want to use https for the pages need to be authorized (usually with [Authorization] attribute) - e.g. account management and some other pages, plus login page. And don't use https for these pages don't need to be authorized.

Community
  • 1
  • 1
ca9163d9
  • 27,283
  • 64
  • 210
  • 413
  • You shouldn't do this. Read this article from MS http://blogs.msdn.com/b/rickandy/archive/2012/03/23/securing-your-asp-net-mvc-4-app-and-the-new-allowanonymous-attribute.aspx - Particularly the last bit under "Am I safe now" as to why using ssl just for login is a bad idea – Erik Funkenbusch May 18 '14 at 20:03

1 Answers1

4

Don't.

Your authentication cookie will be included with every request whether you need it or not. This means every request you serve over HTTP instead of HTTPS is vulnerable to session hijacking.

user247702
  • 23,641
  • 15
  • 110
  • 157
  • Even for these pages don't need authorized? – ca9163d9 May 18 '14 at 20:43
  • 3
    @dc7a9163d9 Yes. Your browser cannot know which pages need authorization. Once a cookie is set for a certain domain, it is sent with every request until it expires or it is removed. – user247702 May 18 '14 at 20:44