Secure Login using ASP.NET and SSL

teamstats · 05-09-2007, 02:54 PM

Hi,

I would like to secure the members' login to my site using SSL. I'm not bothered about the URL of the shared option but could someone tell me if I've understood how it works correctly ?

1. put my login script (e.g. login.aspx) into the new "SSL" folder

2. reference this script using the following url when a user logs in

https://servername.sslsercured.com/m...com/login.aspx

3. login details entered will then be secure and cannot be intercepted on entry.

My login script currently writes some session variables after a successful login (username, name etc.) - will these still be accessible by the rest of the application that is stored in wwwroot ?

Thanks in advance,

Tom

WhiskyFudge · 05-09-2007, 04:03 PM

ASP.net default security model is based on cookies, cookies are locked down to a single domain, so the shared SSL option would not work.

I believe there are ways of making this work, but it's not something I've done before. I would imagin it would be slightly complex and possibly involve some specific things to be set on the server.

I would think the easier option would be go with the dedicated SSL option.

Jas

teamstats · 05-09-2007, 04:18 PM

Hi Jas,

Thanks for the reply - I'd done some further reading on the forum and realised the session/cookie variables would not be shareable.

How about this as a workaround:

SSL/login.aspx - checks username/password against db and if OK updates user table with a randomly generated code then redirects to

mydomain.com/loginsuccess.aspx?username=abc&newrandomcode=xyz12 3

- queries db user table to make sure username/code match and then the user session/cookie variables can be written.

random code field in db is then nulled for that user.

does this seem secure to you?

Thanks,
Tom

WhiskyFudge · 05-09-2007, 05:05 PM

That would certainly work and would be an easy solution to implement.

Secure? I'm no expert but off the top of my head I can't think of a simple way to break that.

Jas

teamstats · 05-09-2007, 07:31 PM

that's a relief, I was waiting for someone to shoot me down!

just a quick question - do I need the actual login form in the SSL directory (where the username/password is entered) ?

or is it just the script that processes the details that matters ?

Thanks,
Tom

WhiskyFudge · 05-09-2007, 07:32 PM

For the connection from the client to the server to be encrytped you need the form to be on a ssl secured site.

05-09-2007, 02:54 PM	#1 (permalink)
teamstats Junior Member Join Date: Aug 2003 Posts: 6	Secure Login using ASP.NET and SSL Hi, I would like to secure the members' login to my site using SSL. I'm not bothered about the URL of the shared option but could someone tell me if I've understood how it works correctly ? 1. put my login script (e.g. login.aspx) into the new "SSL" folder 2. reference this script using the following url when a user logs in https://servername.sslsercured.com/m...com/login.aspx 3. login details entered will then be secure and cannot be intercepted on entry. My login script currently writes some session variables after a successful login (username, name etc.) - will these still be accessible by the rest of the application that is stored in wwwroot ? Thanks in advance, Tom __________________ TeamStats.net - Pro Stats for Amateur Soccer teams

05-09-2007, 04:03 PM	#2 (permalink)
WhiskyFudge Administrator Join Date: Oct 2003 Posts: 1,484	ASP.net default security model is based on cookies, cookies are locked down to a single domain, so the shared SSL option would not work. I believe there are ways of making this work, but it's not something I've done before. I would imagin it would be slightly complex and possibly involve some specific things to be set on the server. I would think the easier option would be go with the dedicated SSL option. Jas __________________ Jason Robbins jason@catalyst2.com

05-09-2007, 04:18 PM	#3 (permalink)
teamstats Junior Member Join Date: Aug 2003 Posts: 6	Hi Jas, Thanks for the reply - I'd done some further reading on the forum and realised the session/cookie variables would not be shareable. How about this as a workaround: SSL/login.aspx - checks username/password against db and if OK updates user table with a randomly generated code then redirects to mydomain.com/loginsuccess.aspx?username=abc&newrandomcode=xyz12 3 - queries db user table to make sure username/code match and then the user session/cookie variables can be written. random code field in db is then nulled for that user. does this seem secure to you? Thanks, Tom __________________ TeamStats.net - Pro Stats for Amateur Soccer teams

05-09-2007, 05:05 PM	#4 (permalink)
WhiskyFudge Administrator Join Date: Oct 2003 Posts: 1,484	That would certainly work and would be an easy solution to implement. Secure? I'm no expert but off the top of my head I can't think of a simple way to break that. Jas __________________ Jason Robbins jason@catalyst2.com

05-09-2007, 07:31 PM	#5 (permalink)
teamstats Junior Member Join Date: Aug 2003 Posts: 6	that's a relief, I was waiting for someone to shoot me down! just a quick question - do I need the actual login form in the SSL directory (where the username/password is entered) ? or is it just the script that processes the details that matters ? Thanks, Tom __________________ TeamStats.net - Pro Stats for Amateur Soccer teams

05-09-2007, 07:32 PM	#6 (permalink)
WhiskyFudge Administrator Join Date: Oct 2003 Posts: 1,484	For the connection from the client to the server to be encrytped you need the form to be on a ssl secured site. __________________ Jason Robbins jason@catalyst2.com

Thread Tools
Show Printable Version Email this Page
Display Modes	Rate This Thread
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode	Rate This Thread: