How to use HTTPS in an ASP.Net Application

Question

I want to use HTTPS in my ASP.NET web application, but only for the Login.aspx page.

How can this be accomplished?

Answer 1

After you get SSL setup/installed, you want to do some sort of redirect on the login page to https://. Then whatever page the user is sent to after validation, it can just be http://.

Protected Sub Page_PreRender(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.PreRender
    If Request.IsSecureConnection = False And _
        Not Request.Url.Host.Contains("localhost") Then

        Response.Redirect(Request.Url.AbsoluteUri.Replace("http://", "https://"))
    End If
End Sub

This may be easier to implement on a master page or just all the pages you require https. By checking for "localhost" you will avoid getting an error in your testing environment (Unless your test server has another name than check for that: "mytestservername").

Answer 2

disclaimer - I was involved in the development of this project

I would recommend using http://nuget.org/packages/SecurePages/ It gives you the ability to secure specific pages or use Regex to define matches. It will also force all pages not matching the Regex or directly specified back to HTTP.

You can install it via NuGet: Install-Package SecurePages

Docs are here: https://github.com/webadvanced/Secure-Page-manager-for-asp.net#secure-pages

Simple Usage:

SecurePagesConfiguration.Urls.AddUrl("/cart");

or

SecurePagesConfiguration.Urls.AddRegex(@"(.*)account", RegexOptions.IgnoreCase | RegexOptions.Compiled | RegexOptions.Singleline);

Answer 3

You can publish your own certificate or you can purchase one. The caveat is that purchasing one, depending on the company, means that it's already stored in the certificate store for most browsers. Your self published one will not be and your users will have to take the extra step of installing your cert.

You don't say what version of IIS you're using, but here are some detailed instructions for IIS 6

You can purchase relatively cheap certs or you can go with the big boys (verisign) and get an extended validation certificate which turns your address bar in IE, green. It's also a somewhat rigorous validation process and takes time.

If you know all of the users that will be hitting your website, there's no problem with installing your own. However, for an open website with anonymous users (that you don't know), it's probably best to purchase one that is already in most major browsers, certificate stores.

You can enable SSL via IIS and require it for only your login.aspx page and not for the rest.

Answer 4

You can enable HTTPS in your IIS config, but it won't be "secure" unless you acquire an SSL Certificate and plug it into IIS. Make sure you have port 443 open.

Answer 5

1. First get or create a certificate

2. Get the SecureWebPageModule module from http://www.codeproject.com/Articles/7206/Switching-Between-HTTP-and-HTTPS-Automatically-Ver. Instructions for setup can be found in the article.

3. Add secureWebPages tag to web.config

   <configuration>
       ...
       <secureWebPages enabled="true">
           ...
       </secureWebPages>
       ...
       <system.web>
           ...
       </system.web>
   </configuration>
   

4. Add files and directories to be use for https protocol:

   <secureWebPages enabled="true">
       <file path="Login.aspx" />
       <file path="Admin/Calendar.aspx" ignore="True" />
       <file path="Members/Users.aspx" />
       <directory path="Admin" />
       <directory path="Members/Secure" />
   </secureWebPages> 
   

Hope this helps!