开发者

ASP.net SSL question

If I redirect a logged in user to a non SSL page on my website:

Response.Redirect("http://www.mysite.com/page.aspx");

But the master page has the code:

if (IsLoggedIn)
    ForceSSL();

Which redirects the user to:

开发者_如何学运维
Response.Redirect("https://www.mysite.com/page.aspx");

Between the redirect, and then the second redirect, is there any unsecured data transmitted from the client to the server?


The initial request to http://www.mysite.com will send any cookies associated with the domain, but there shouldn't be any if you do all of your traffic on https://www.mysite.com

(assuming your cookies are set to secure only)

Edit:

Missed the part about being logged in... if the site's using the standard forms authentication, you'd want to do something like this in the web.config and it should take care of that for you (requireSSL):

<authentication mode="Forms">
  <forms loginUrl="Login.aspx" timeout="15" slidingExpiration="true" requireSSL="true"/>
</authentication>

Edit #2:

I was curious if you could force this at a site level for all cookies (without forms authentication), and it looks like you can by adding this to the config file:

<httpCookies domain="String" requireSSL="true" />


It depends:) If presume the code in masterpage is in Page_load so no:) You are handlign everything on the server side. No data is sent to the client until the request is completed. And Response.Redirect terminates response in a particularly nasty way (threadAbort) and initiates a new one. But as John has mentioned cookies might be sent

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜