问题
I'll try to be as brief as I can. I have the certificate already setup on my server. I just have a question about the.. proper way of configuring the ssl in my website.
I need to secure at the root login.aspx and the admin and cart directories. So in IIS, you can right-click a file or directory in the site and go to Properties -> File/Directory Security tab -> Secure Communications section and click Edit -> check Require secure channel (SSL). This causes the file or directory contents to be requested over https connection, and asp.net will not convert the request automatically.
So, instead of changing all of my links and redirects to use absolute URLs to specify http or https, I implemented an http module to automatically switch between between http and https as suggested here. However, I still get the error:
The page must be viewed over a secure channel
because it was not initially sent over https, but converted in the module. If I remove the setting in IIS, it works fine; the page module automatically switches the connection to https. My question is, is it okay to not have the SSL requirement setting in IIS and just have my http module handle the http/https switching? I feel like I will be losing a layer of security here by doing so. Does anyone have any insight on this?
回答1:
I think it is acceptable to not enable the Require secure channel option. I have only enabled that option when an entire domain needs to be secured, like secure.domain.com. For sites that have parts that need to be HTTPS and parts that I don't, I use the switcher method that you described. When the user requests the login page they are redirected to the same page over HTTPS. All cookies are set to only be delivered over SSL:
<system.web>
<httpCookies httpOnlyCookies="true" requireSSL="true" lockItem="true" />
</system.web>
If the cookie is absent then the user is not logged in and pages are delivered over HTTP.
来源:https://stackoverflow.com/questions/12287994/configuring-ssl-in-iis-asp-net