What exactly are you trying to protect against? If you're trying to protect against a MITM attack (which is what developers normally think of when using SSL), then redirecting after logging in will break site security since an attacker could just hijack
your login cookie. Alternatively, they could just change your login page to contain <form action="https://www.evil.com/"> rather than the actual URL you wanted it to point to.
Generally, unless you really know what you're doing in this regard, you should run as much of the site as possible under SSL. We have a [RequireHttps] attribute in MVC 2 that you can put on your controllers to facilitate this.
Marked as answer by ricka6 on Jan 15, 2010 03:22 AM
levib
Star
7702 Points
1099 Posts
Microsoft
Re: How Can I Create A secure Form URL?
Jan 14, 2010 02:10 AM|LINK
What exactly are you trying to protect against? If you're trying to protect against a MITM attack (which is what developers normally think of when using SSL), then redirecting after logging in will break site security since an attacker could just hijack your login cookie. Alternatively, they could just change your login page to contain <form action="https://www.evil.com/"> rather than the actual URL you wanted it to point to.
Generally, unless you really know what you're doing in this regard, you should run as much of the site as possible under SSL. We have a [RequireHttps] attribute in MVC 2 that you can put on your controllers to facilitate this.