Jump to content

SSL use for login or not?

mds1256

By mds1256
in Microsoft IIS

 Share

Recommended Posts

mds1256 Advanced Member

mds1256

Posted
Posted

Hi

 

I am developing a system that users can log into.

 

Couple of questions:

 

1. Should I use SSL for when users submit the login form e.g. post to https just for login?

 

2. Is putting the https address in the form action enough to encrypt the login details or does the page that you are entering the details on (e.g. the login form webpage) also need to be encrypted?

 

Thanks

Link to comment
Share on other sites
kicken Prolific Member

kicken

Posted
Posted

To provide a few more specific answers (though I agree with thorpe in that enabling SSL for all is good):

 

1. Should I use SSL for when users submit the login form e.g. post to https just for login?

 

Yes, you should at minimum use SSL when posting the login information to ensure it is encrypted.

 

2. Is putting the https address in the form action enough to encrypt the login details or does the page that you are entering the details on (e.g. the login form webpage) also need to be encrypted?

 

Setting the action to an https url is technically enough, as that will cause the post itself to be encrypted.  You should serve the login page itself over https as well though so that the browser includes a visual indication that the page is encrypted.  That helps users feel safer if they can see the SSL signs before entering their details.  Encrypting the login page itself can help prevent man-in-the-middle attacks as well.

Link to comment
Share on other sites
PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

After you have logged in, the sensitive information is now the session id that you are sending from the client to the server on every http request. If someone 'was' monitoring the data packets (which is why you would be using SSL in the first place), such as over an unencrypted wifi connection, they would have the session id and can visit the site as you and do anything you can do after you have logged in (which is why you typically re-authenticate when doing critical things, such as modifying profile information, making purchases,...). Since they already have access to the same network you are using, they will also have the same IP that you have when they visit the site.

Link to comment
Share on other sites
mds1256 Advanced Member

mds1256

Posted
  • Author
Posted

After you have logged in, the sensitive information is now the session id that you are sending from the client to the server on every http request. If someone 'was' monitoring the data packets (which is why you would be using SSL in the first place), such as over an unencrypted wifi connection, they would have the session id and can visit the site as you and do anything you can do after you have logged in. Since they already have access to the same network you are using, they will also have the same IP that you have when they visit the site.

 

Have kind of thought about that one and I regenerage the session ID after so many page requests to get a new ID.

 

 

 

So on another note what is the best way to divert my site to https if a http is entered, I am using IIS for this, is there an easy way of doing this that will prevent users from visiting the http version.

Link to comment
Share on other sites
xyph Advanced Member

xyph

Posted
Posted

After you have logged in, the sensitive information is now the session id that you are sending from the client to the server on every http request. If someone 'was' monitoring the data packets (which is why you would be using SSL in the first place), such as over an unencrypted wifi connection, they would have the session id and can visit the site as you and do anything you can do after you have logged in (which is why you typically re-authenticate when doing critical things, such as modifying profile information, making purchases,...). Since they already have access to the same network you are using, they will also have the same IP that you have when they visit the site.

 

A token in plan text is a lot less worrisome than a password, IMO. If a user logs out, the token is destroyed. Some sites will even regenerate the token per-request when a user is logged-in.

 

That's not to say your post isn't sound advice.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.