I figured the best way to do this would be bust open the HTML helpers for BeginForm with reflector and create my own extension method called BeginSecureForm. The problem I ran into was that it uses internal method UrlHelper.GenerateUrl and and the private
method HtmlHelper.FormHelper.
Apart from hard coding URLs into a form what is the best way to generate forms that post to a secure url and then have that action redirect to a non secure action after login?
I don't want to send the username and password unencrypted but I don't want to run the whole site under SSL.
What I would like is the login form post via SSL and then have the login action redirect to a non SSL page.
On the home page I have a form that posts to /user/login. If the user authenticated properly then I redirect to a user page.
I would like the home page to be hit from http://www.mysite.com but the login form post to https://www.mysite.com/user/login and the the login action redirect to http://www.mysite.com/user/dashboard.
I have tried running the whole site under SSL but IE is a pain with mixed content. I have jQuery coming non SSL from the Microsoft CDS and Maps coming from Google.
My other option would be to do an Ajax login request but I still want a way to generate SSL URLs.
What exactly are you trying to protect against? If you're trying to protect against a MITM attack (which is what developers normally think of when using SSL), then redirecting after logging in will break site security since an attacker could just hijack
your login cookie. Alternatively, they could just change your login page to contain <form action="https://www.evil.com/"> rather than the actual URL you wanted it to point to.
Generally, unless you really know what you're doing in this regard, you should run as much of the site as possible under SSL. We have a [RequireHttps] attribute in MVC 2 that you can put on your controllers to facilitate this.
Marked as answer by ricka6 on Jan 15, 2010 03:22 AM
I would run the whole site under SSL but IEs stupid default policy of not allowing mixed content makes it impossible to use Google maps while under SSL.
I don't want to send login credentials unencrypted.
The reason IE throws a mixed mode warning is to combat MITM + DNS poisoning attacks. It's possible to use these attacks to steal information from an SSL-protected site.
Alternatively, you can design your site such that certain subdomains or pages are accessible via HTTP rather than requiring SSL. However, you should contact a security professional for assistance in setting this up. You are unlikely to find developers
on this forum who have expertise in this field and will offer their assistance for free.
As for redirecting users from HTTP to HTTPS, you can use the [RequireHttps] attribute I mentioned earlier. It's included in-box in MVC 2.
Marked as answer by ricka6 on Jan 15, 2010 03:22 AM
From the top of my head (been absent from .net several months) can't you use AntiForgeryToken to secure your forms?
Wanted to dig up some old code, but figured I'd rather search for something that make sense. How about
this?
“Programmers are in a race with the Universe to create bigger and better idiot-proof programs, while the Universe is trying to create bigger and better idiots. So far the Universe is winning.”
(Rich Cook)
The AntiForgeryToken is designed to limit exposure to XSRF attacks. The particular scenario here is that you want to verify the authenticity of the form itself and that you want to hide the information from attackers. This is SSL's territory.
Marked as answer by ricka6 on Jan 15, 2010 03:23 AM
The AntiForgeryToken is designed to limit exposure to XSRF attacks. The particular scenario here is that you want to verify the authenticity of the form itself and that you want to hide the information from attackers. This is SSL's territory.
Hmmmm...true. Just our mate did not sound like he's keen for SSL, so I went digging stuff out the wrong section in the back of my rusted memory.
Thanks for correcting me!
“Programmers are in a race with the Universe to create bigger and better idiot-proof programs, while the Universe is trying to create bigger and better idiots. So far the Universe is winning.”
(Rich Cook)
NerdENerd
0 Points
19 Posts
How Can I Create A secure Form URL?
Jan 13, 2010 10:59 PM|LINK
I want to post my login form to a secure url.
I figured the best way to do this would be bust open the HTML helpers for BeginForm with reflector and create my own extension method called BeginSecureForm. The problem I ran into was that it uses internal method UrlHelper.GenerateUrl and and the private method HtmlHelper.FormHelper.
Apart from hard coding URLs into a form what is the best way to generate forms that post to a secure url and then have that action redirect to a non secure action after login?
jimmy q
All-Star
54108 Points
3578 Posts
Re: How Can I Create A secure Form URL?
Jan 14, 2010 01:43 AM|LINK
I am not quite sure I understand you requirements by a secure form.
If all you want is to secure the contents of a form being posted why not use SSL?
NerdENerd
0 Points
19 Posts
Re: How Can I Create A secure Form URL?
Jan 14, 2010 01:52 AM|LINK
I don't want to send the username and password unencrypted but I don't want to run the whole site under SSL.
What I would like is the login form post via SSL and then have the login action redirect to a non SSL page.
On the home page I have a form that posts to /user/login. If the user authenticated properly then I redirect to a user page.
I would like the home page to be hit from http://www.mysite.com but the login form post to https://www.mysite.com/user/login and the the login action redirect to http://www.mysite.com/user/dashboard.
I have tried running the whole site under SSL but IE is a pain with mixed content. I have jQuery coming non SSL from the Microsoft CDS and Maps coming from Google.
My other option would be to do an Ajax login request but I still want a way to generate SSL URLs.
levib
Star
7702 Points
1099 Posts
Microsoft
Re: How Can I Create A secure Form URL?
Jan 14, 2010 02:10 AM|LINK
What exactly are you trying to protect against? If you're trying to protect against a MITM attack (which is what developers normally think of when using SSL), then redirecting after logging in will break site security since an attacker could just hijack your login cookie. Alternatively, they could just change your login page to contain <form action="https://www.evil.com/"> rather than the actual URL you wanted it to point to.
Generally, unless you really know what you're doing in this regard, you should run as much of the site as possible under SSL. We have a [RequireHttps] attribute in MVC 2 that you can put on your controllers to facilitate this.
NerdENerd
0 Points
19 Posts
Re: How Can I Create A secure Form URL?
Jan 14, 2010 02:22 AM|LINK
I would run the whole site under SSL but IEs stupid default policy of not allowing mixed content makes it impossible to use Google maps while under SSL.
I don't want to send login credentials unencrypted.
levib
Star
7702 Points
1099 Posts
Microsoft
Re: How Can I Create A secure Form URL?
Jan 14, 2010 02:47 AM|LINK
The reason IE throws a mixed mode warning is to combat MITM + DNS poisoning attacks. It's possible to use these attacks to steal information from an SSL-protected site.
You can access the Google Maps APIs via SSL if you have a Premier account through them. See http://googleenterprise.blogspot.com/2008/09/httpssecuregooglemaps.html for more information.
Alternatively, you can design your site such that certain subdomains or pages are accessible via HTTP rather than requiring SSL. However, you should contact a security professional for assistance in setting this up. You are unlikely to find developers on this forum who have expertise in this field and will offer their assistance for free.
As for redirecting users from HTTP to HTTPS, you can use the [RequireHttps] attribute I mentioned earlier. It's included in-box in MVC 2.
lenocin
Member
206 Points
148 Posts
Re: How Can I Create A secure Form URL?
Jan 14, 2010 04:07 AM|LINK
From the top of my head (been absent from .net several months) can't you use AntiForgeryToken to secure your forms?
Wanted to dig up some old code, but figured I'd rather search for something that make sense. How about this?
(Rich Cook)
levib
Star
7702 Points
1099 Posts
Microsoft
Re: How Can I Create A secure Form URL?
Jan 14, 2010 04:31 AM|LINK
The AntiForgeryToken is designed to limit exposure to XSRF attacks. The particular scenario here is that you want to verify the authenticity of the form itself and that you want to hide the information from attackers. This is SSL's territory.
lenocin
Member
206 Points
148 Posts
Re: How Can I Create A secure Form URL?
Jan 14, 2010 04:41 AM|LINK
Hmmmm...true. Just our mate did not sound like he's keen for SSL, so I went digging stuff out the wrong section in the back of my rusted memory.
Thanks for correcting me!
(Rich Cook)