Interested in using SSL for logins? Here's an easy solution : The Official Microsoft ASP.NET Forums

Reply

bookerdog

Member

30 Points

Interested in using SSL for logins? Here's an easy solution

Feb 28, 2005 07:34 PM|LINK

Hey all, I went looking at the existing system and came up with a fairly easy proceedure to force your GCN site to use SSL for the delicate Login and Register pages. You could choose to use it for anything by just adding to the list found in the CheckToSecurePage proceedure. All code here is in C#. First, you need to add a key to your web.config file. I did this so I could easily turn on and off my SSL. Add this to the section of web.config Like this: ....... Next I added the following procedure to \Engine\Framework\BaseClasses\CommunityGlobals.cs public static void CheckToSecurePage(System.Web.HttpContext Context) { bool SecurityEnabled = false; NameValueCollection nvc = (NameValueCollection) ConfigurationSettings.GetConfig("communityStarterKit/services"); try //use the try catch in case the key does not exist. { SecurityEnabled = bool.Parse(nvc[ "forceUseOfSecureHTTP" ]); } catch { SecurityEnabled = false; } if (SecurityEnabled) { string pagename = Context.Request.RawUrl.ToLower(); bool needSecure = false; if (pagename.IndexOf("users_editprofile.aspx") > 0) {needSecure = true;} if (pagename.IndexOf("users_login.aspx") > 0) {needSecure = true;} if (pagename.IndexOf("users_register.aspx") > 0) {needSecure = true;} if (needSecure && !Context.Request.IsSecureConnection) { {Context.Response.Redirect("https://" + PrimaryDomain + Context.Request.RawUrl);} } else if(!needSecure && Context.Request.IsSecureConnection) { {Context.Response.Redirect("http://" + PrimaryDomain + Context.Request.RawUrl);} } } else if (Context.Request.IsSecureConnection) { Context.Response.Redirect("http://" + PrimaryDomain + Context.Request.RawUrl); } } Finally, you go to the default page handler for all requests in the application, communityDefault.aspx in the root directory. Simply call the above procedure as the first line of the Page_Init procedure. public class communityDefault : System.Web.UI.Page { void Page_Init(Object s, EventArgs e){ CommunityGlobals.CheckToSecurePage(Context);

Reply

Afgooey

Member

150 Points

30 Posts

Re: Interested in using SSL for logins? Here's an easy solution

Mar 07, 2005 05:26 PM|LINK

hey that's pretty cool. Did you change the registration part too to make it safer? I notice CSK lets you register right then and there, while most sites make you enter a valid ID and send the password or confirmation to the mailbox.

Reply

bookerdog

Member

30 Points

6 Posts

Re: Interested in using SSL for logins? Here's an easy solution

Mar 07, 2005 06:04 PM|LINK

I didn't change the registration, but I'm actually using a more hands on security model. The "Community-Authenticated" role doesn't have any more rights than the "Community-Everyone" Role. I added a mod that sends an e-mail to all the members of the "Community-Administrators" role when there is a new registration. Then one of the Admin review the new registration, and if it's cool, adds the user to the "Community-Verified Members" role. This is primarily being used for a small site for my church, and we're trying to limit the number of duplicate registrations because we're doing a default load of existing church members into the User's table. I know somebody has written a mod that does just what you're talking about, where a random verification id is sent to the user before their membership is activated. Search here or the CSK sections to find it. For my usage, I'm not so concerned that a person has entered a valid e-mail as verifying that the person should have access to the site in the first place.