Hi all,

I am in the process of updating my website to include secure pages and have run across few issues.  Any replies would be appreciated.

• The biggest problem I'm facing is that whenever a secured page is rendered, all links on that page becomes "https:" even though I don't really need SSL being used for them.  I've already researched the net for information on this and it appears that it's not easy to remedy this situation unless I'm using the full URL.  But, developing in ASP.NET is so much easier without resorting to full URL links, especially within when navigating within the same website.  Also, I really don't want to use the full URL since I need to be able to test locally too.  I'm sure others have experienced this issue when dealing with SSL, so please comment.
• Another issue is that with SSL, the login page cannot use the "remember me" feature when using the default Login control available in ASP.NET.  I suppose it has to do with security issues concerning cookies perhaps?  Any resolution on this?
• With SSL in place, all pages with external links (or Flash control) invokes a security warning message box.  How would I disable this from happening?
• If I were to simply use SSL for ALL my pages, how much of performance hit would I take?
• Finally, what is the reason behind using the thawte_seal_generator.exe script?  Does it do anything special beyond showing the SSL logo for the website?
  

Regards,

- Jin 

Here's my $.02:

1. For the most part, all internal links (those to other pages on your site) are "relative" to the root of your web site, so the full URL (http://..... or https://....) is not part of the code.  So, when you go to SSL mode, all links (unless you have hard coded them otherwise) will be relative to where you currently are, which is https://....  There is a way you can enable your localhost to operate in SSL.  I'll have to dig up the software (it's free) and post a link here if you're interested.  My advice is to just setup a test site (testsite.mydomain.com) for testing your application instead of trying to get SSL on your localhost as the software is kind of a pain to install (but it does work).

2. Does the "remember me" work when you are not in SSL mode?  If not, then i'd say it's a cookie problem (your computer isn't accepting them).  Have you tested this in more than one browser?  If so, which one's?

3.  Other than not going to SSL mode for those pages, you can't.  If you are in SSL and you have links to other resources that are not SSL URL's you will always get the security warning for mixed content.

4.  Many sites use SSL for all pages.  PayPal for one.  Performance hit is not noticeable.  My shopping cart actually has the option that once the user goes SSL to stay SSL.  It's disabled by default, but there if I'd like to use it.  Of course, if you have pages that have non-SSL URL's (#3 above), you  may want to stay away from using SSL on those pages to avoid the warning.

5.  The thawte_seal_generator.exe does two things:  First, it displays the SSL logo.  Secondly, if you click on it, it opens a window to validate that the URL the logo is displayed on matches the URL the SSL Certificate is issued to.

Thanks as always for sharing your expertise, itechcs!  I really appreciate it.

It seems that I have to either have the entire website in SSL mode with the occasional  security warnings (for non-SSL links) or do some serious coding to switch back and forth between https and http pages.  As for the "remember me" thing, it works fine in non-SSL mode, so I'm sure it's a security related issue.  I'll dig around to figure this one out or get rid of the option completely.

- Jin
 

Glad I could help.

I'd be happy to take a look at your web site code and see if there is an easy way to switch back and forth between http and https.

Regarding the "remember me", what version of .Net are you using?  And what browsers have you tested this with?