17

I'm getting ready to have an SSL cert installed on my hosting.

It is my understanding that (and correct me if I'm wrong...):

  1. Once the hosting guys install the cert, I will be able to browse my site on Http or Https (nothing will stop me from continuing to use Http)?

  2. The only thing I need to do, is add logic (in the case of MVC, Controller attributes/filters) to force certain pages, of my choosing, to redirect to Https (for instance, adding a [RequiresHttps] attribute sparingly).

Do I have to worry about doing anything extra with these things to make sure I'm using SSL properly? I'm not sure if I need to change something with logic having to do with:

  1. Cookies

  2. PayPal Express integration

Also, I plan on adding [RequiresHttps] only on the shopping cart, checkout, login, account, and administration pages. I wish to leave my product browsing/shopping pages on Http since I heard there is more overhead for using Https. Is this normal/acceptable/ok?

One more question... I know ASP.NET stores some login information in the form of an Auth cookie. It is okay that a user logs in within an Https page, but then can go back and browse in an Http page? I'm wondering if that creates a security weakness since the user is logged in and browsing in Http again. Does that ruin the point of using SSL?

I'm kind of a newb at this... so help would be appreciated.

Iglesk
  • 1,131
  • 1
  • 11
  • 14
Ralph N
  • 4,240
  • 8
  • 28
  • 36
  • Everything is basically correct, although I share your concern about using the cookie initially obtained on HTTPS over HTTP. If it's transmitted unencrypted, it will be vulnerable to communication snooping. I think you can avoid this by limiting the cookie to HTTPS, but I don't know how to do this for ASP.NET auth cookies – Zruty Mar 06 '12 at 10:19

2 Answers2

15

Starting with your questions, on one, (1) yes nothing will stop you to use for the same pages http ether https.

and (2) Yes you need to add your logic on what page will be show only as https and what as http. If some one wondering, why not show all as https the reason is the speed, when you send them as https the page are bigger and the encode/decode is take a little bit more, so if you do not need https, just switch it to http.

Switching Between HTTP and HTTPS Automatically is a very good code to use for the implementation of switching logic fast and easy.

Cookies

When the cookie have to do with the credential of the user then you need to force it to be transmitted only with secure page. What this mean, mean that if you set a cookie with https, this cookie is NOT transmitted on non secure page, so is stay secure and a man in the middle can not steal it. The tip here is that this cookie can not be read on http pages - so you can know that the user is A, or B only on secure page.

Cart - Products

Yes this is normal : to leave the products and the cart on unsecured connection because the information is not so special. You start the https page when you be on user real data, like name, email, address etc.

Auth cookie

If you set it as secure only, then this cookies not show/read/exist on unsecured page. It is an issue if you not make it secure only.

Response.Cookies[s].Secure = true;

Few more words

What we do with secure and non secure page is that we actually split the user data in two parts. One that is secure and one that is not. So we use actually two cookies, one secure and one not secure.

The not secure cookie is for example the one that connect all the products on the cart, or maybe the history of the user (what products see) This is also that we do not actually care if some one get it because even a proxy can see from the url the user history, or what user see.

The secure cookie is the authentication, that keep some critical information for the user. So the non secure cookie is with the user everywhere on the pages, the secure is only on check out, on logged in, etc.

Related

MSDN, How To: Protect Forms Authentication in ASP.NET 2.0
Setting up SSL page only on login page
Can some hacker steal the cookie from a user and login with that name on a web site?

Community
  • 1
  • 1
Aristos
  • 66,005
  • 16
  • 114
  • 150
  • 1
    Excellent information. I understand how this works now, but have run into 1 issue that maybe you can help. I have the user log in under SSL, but when i put him back on the browse page, i switch back to non-SSL. However, there is a little link on the top right of my header that says "Welcome, [AccountName]!" on every page in the site. User.Identity.IsAuthenticated is coming back false since the cookie is an SSL cookie... so this message doesn't show up anymore. Is there a quick workaround to making this work? – Ralph N Mar 06 '12 at 11:16
  • @RalphN No there is not work around. You need to connect the user name with the non-secure cookie of the user. – Aristos Mar 06 '12 at 11:19
  • i'm thinking i just might swallow my fears and make the entire site SSL then... as far as i understand its only slight overheard on the handshake, but the encryption on todays' servers is ridiculous fast. If anyone feels like i'm wimping out and taking a performance hit, let me know (this is an ecommerce site... selling stuff... showing pictures/descriptions, adding to cart, etc.) – Ralph N Mar 06 '12 at 11:27
  • @RalphN google have made all their page ssl. How ever you have more issues, the ssl page is bigger in size, and not permit cache that make you page a lot slow. Also any photo, or other resource that is miss the ssl can throw a warning message and this can make the user scare and leave. – Aristos Mar 06 '12 at 11:33
  • Oooo thats bad then. I need image caching desperately since my store has bigger-than-usual images. I think i've thought of a workaround. When the user logs in, i'll create a second "username" non-ssl cookie that expires similarly to the real auth cookie. I'll drive that "Welcome...!" message based off the non-ssl cookie. Going to try to implement it now. – Ralph N Mar 06 '12 at 11:37
  • Ok, here's the result. I have only my browse page switch back to non-SSL. There are 2 things here that require the logged-in username: 1) the "Welcome...!" message on the top right, and the "add to cart" AJAX method. Because i can't use User.Identity.Name, I instead create a "LoggedInUsername" non-ssl cookie during login and encrypt it (decrypt it later) with a very simple algorithm. I then use this username for those 2 purposes. I encrypted it, because, you could potentially add items to other peoples carts if you edit the cookie. This seems to solve all my problems! – Ralph N Mar 07 '12 at 08:31
3

1) Yes, you are right.

2) Yes. You can optionally handle HTTP 403.4 code (SSL required) more gracefully, by automatically redirecting the client to the HTTPS version of the page.

As for authentication cookies, I've found this MSDN article for you. Basically, you can set up your website (and the client's browser) to only transmit authentication cookie via HTTPS. This way it won't be subject to network snooping over unencrypted channel.

Of course, this is only possible if all of your [Authorize] actions are HTTPS-only.

Zruty
  • 8,377
  • 1
  • 25
  • 31