I am after a bit of advice, I have an ASP.Net web application and I have just installed SSL on the server so I have the next week or so ahead of me playing with this. I intend to set the RequireSSL = true in the web.config section so that the cookies cannot
be cloned and so on but the main function of my website is content management. People will be downloading files from the website, now I don't want to do the download over SSL because of the overhead but I also want to check that the user is authenticated
and authorised inside the handler I have that serves the files to the user.
Does anyone have a suggestion on how I should approach this please so that I ensure that the user is authorised, keep the cookie safe, but also do not require the overhead of downloading over SSL?
Does anyone have a suggestion on how I should approach this please so that I ensure that the user is authorised, keep the cookie safe, but also do not require the overhead of downloading over SSL?
Is it even possible? Thank you.
Not possible, and not safe. You can find tons of articles (some example) on the web which explains how insecure this (athenticate only using https, and after serving regular
content via http.
Are you sure about the "overhead" of ssl?
Marked as answer by UselessChimp on Jan 19, 2013 12:31 PM
The "overhead" is due to SSL handshakes. If i remember right 5 SSL handshakes to 2 non SSL handshakes. It actually is more of a latency problem then CPU load issue on todays hardware. It may present itself as an issue when sending files over SSL over a long
distance such as over seas or to devices connected to a cellular network.
Anyways...
Maybe before hitting the handler over http store a session variable which the handler can then use to authenticate the request.
I would like to thank you both very much for your clear and informative answers. I have marked stmarti's answer as the answer thanks to the fantastic link that has been supplied. Reading this with a cup of tea has answered all of my queries, explained why
my approach is flawed, and as a result has set out my work for the rest of the weekend.
UselessChimp
Member
226 Points
115 Posts
SSL and file transfers
Jan 16, 2013 08:09 PM|LINK
Hello all,
I am after a bit of advice, I have an ASP.Net web application and I have just installed SSL on the server so I have the next week or so ahead of me playing with this. I intend to set the RequireSSL = true in the web.config section so that the cookies cannot be cloned and so on but the main function of my website is content management. People will be downloading files from the website, now I don't want to do the download over SSL because of the overhead but I also want to check that the user is authenticated and authorised inside the handler I have that serves the files to the user.
Does anyone have a suggestion on how I should approach this please so that I ensure that the user is authorised, keep the cookie safe, but also do not require the overhead of downloading over SSL?
Is it even possible? Thank you.
stmarti
Contributor
5083 Points
1061 Posts
Re: SSL and file transfers
Jan 18, 2013 06:54 PM|LINK
Not possible, and not safe. You can find tons of articles (some example) on the web which explains how insecure this (athenticate only using https, and after serving regular content via http.
Are you sure about the "overhead" of ssl?
jprochazka
Contributor
4992 Points
748 Posts
Re: SSL and file transfers
Jan 18, 2013 07:08 PM|LINK
The "overhead" is due to SSL handshakes. If i remember right 5 SSL handshakes to 2 non SSL handshakes. It actually is more of a latency problem then CPU load issue on todays hardware. It may present itself as an issue when sending files over SSL over a long distance such as over seas or to devices connected to a cellular network.
Anyways...
Maybe before hitting the handler over http store a session variable which the handler can then use to authenticate the request.
UselessChimp
Member
226 Points
115 Posts
Re: SSL and file transfers
Jan 19, 2013 12:32 PM|LINK
I would like to thank you both very much for your clear and informative answers. I have marked stmarti's answer as the answer thanks to the fantastic link that has been supplied. Reading this with a cup of tea has answered all of my queries, explained why my approach is flawed, and as a result has set out my work for the rest of the weekend.
Time to get coding :) Thank you both.