ASP.net SSL question
If I redirect a logged in user to a non SSL page on my website:
Response.Redirect("http://www.mysite.com/page.aspx");
But the master page has the code:
if (IsLoggedIn)
ForceSSL();
Which redirects the user to:
开发者_如何学运维Response.Redirect("https://www.mysite.com/page.aspx");
Between the redirect, and then the second redirect, is there any unsecured data transmitted from the client to the server?
The initial request to http://www.mysite.com will send any cookies associated with the domain, but there shouldn't be any if you do all of your traffic on https://www.mysite.com
(assuming your cookies are set to secure only)
Edit:
Missed the part about being logged in... if the site's using the standard forms authentication, you'd want to do something like this in the web.config and it should take care of that for you (requireSSL):
<authentication mode="Forms">
<forms loginUrl="Login.aspx" timeout="15" slidingExpiration="true" requireSSL="true"/>
</authentication>
Edit #2:
I was curious if you could force this at a site level for all cookies (without forms authentication), and it looks like you can by adding this to the config file:
<httpCookies domain="String" requireSSL="true" />
It depends:) If presume the code in masterpage is in Page_load so no:) You are handlign everything on the server side. No data is sent to the client until the request is completed. And Response.Redirect terminates response in a particularly nasty way (threadAbort) and initiates a new one. But as John has mentioned cookies might be sent
精彩评论