避免 SSL “您将被重定向到不安全的连接."信息 [英] Avoiding SSL "You are about to be redirected to a connection that is not secure." message

问题描述

我有一个通过 SSL 提供服务的登录屏幕.用户填写他们的登录名/密码，这将被发布到服务器.此时我想跳出 SSL，所以我将它们重定向回没有 SSL 的同一页面.

这会导致浏览器显示警告对话框您将被重定向到不安全的连接".我怎样才能避免这种情况?我去过很多网站，例如 yahoo mail 和 gmail，它们为您提供 SSL 登录页面，然后在此之后将您发送到非 SSL 页面.

第二个问题:这个对话的目的是什么?它试图警告我一些邪恶的目的 - 但是将某人重定向到非 SSL 页面有什么不好?当我在 SSL 页面上单击非 SSL 链接时，我没有收到警告.重定向某人有什么不同?

我在 ASP.NET 2.0 中这样做 - 但我认为这是一个通用的网络开发问题.

更新摘要:似乎流行的答案是不要避免".我可以理解，当安全性被删除时，用户应该收到一条消息.但是当我点击链接并删除安全性时，我没有收到对话框，所以至少我会说这是不一致的.

对话框/浏览器版本.我实际上在 IE7/FF3 中没有看到对话框(也许我点击了一个复选框来阻止它).更重要的是，客户端确实在 IE6 中看到它 - 没有复选框可以删除它(是的，我知道 IE6 很旧而且很垃圾).

Firefox2:

替代方案:使整个站点使用 SSL，永远不要将用户重定向到 SSL 之外.我能应付得了.但我有一个半技术客户，他有一些相当不错的观点:

• SSL 将导致流量/处理能力增加".我真的不买这个，我不认为他的网站需要一个以上的盒子来提供服务.
• 雅虎做到了.雅虎是一家大型技术公司.你比雅虎更聪明吗?"

我将尝试将客户端转移到一个完全 SSL 的站点.我认为 Yahoo 的方法在 1996 年或者对于一个更受欢迎的网站来说是有意义的.一些解释为什么会发生这种对话的官方链接会有所帮助(即 Jakob Nielsen 的真实性级别).

解决方案

不久前我遇到了同样的问题.所以我查看了 fiddler 的内部，看看雅虎邮件是如何做到的.这是我看到(并在我的网站上使用)的步骤:

用户填写 SSL 加密表格，然后 POST 到服务器.服务器进行身份验证，并吐出一些脚本来重定向客户端

我认为客户端代码是为了避免这个对话框.

I have a login screen which I'm serving over SSL. The user fills in their login/password, this gets POSTed to the server. At this point I want to jump out of SSL, so I redirect them back to the same page with no SSL.

This causes the browser to show a warning dialog "You are about to be redirected to a connection that is not secure". How can I avoid this? I've been plenty of sites like yahoo mail, and gmail that give you an SSL page for login, then send you to a non-SSL page after this.

Secondary question: what's the purpose of this dialog? It's trying to warn me about some nefarous purpose - but what's so bad about redirecting someone to a non-SSL page? I don't get a warning when I'm on an SSL page and click a non-SSL link. What's different about redirecting someone?

I'm doing this in ASP.NET 2.0 - but I figure this is a generic web-dev question.

UPDATE SUMMARY: It seems the popular answer is "DON'T AVOID IT". I can understand that a user should get a message when security it being removed. But I don't get a dialog when I follow a link and security is removed, so at the very least I'd say this is inconsistent.

The dialog / browser versions. I actually don't see the dialog in IE7/FF3 (maybe I've clicked a checkbox preventing it). More importantly the client DOES see it in IE6 - with no checkbox to remove it (yes, I know IE6 is old and crap).

Firefox2: FF2 http://img521.imageshack.us/img521/8455/sslwarning.jpg

IE6:

The alternative: make the entire site SSL, never redirect the user out of SSL. I could handle that. But I've got a semi-technical client who has some fairly good points:

• "SSL is going to cause an increase in traffic / processing power". I don't really buy this, and I don't think his site is every going to require more than one box to serve it.
• "Yahoo does it. Yahoo is a big technical company. Are you smarter than Yahoo?"

I'm going to try sway the client over to an entirely SSL site. I'll argue Yahoo's approach made sense in 1996, or for a site that is MUCH more popular. Some official links explaining why this dialog happens would help (i.e Jakob Nielsen level of authenticity).

解决方案

I've hit this same problem a while back. So I had a look inside fiddler to see how yahoo mail does it. Here's the step I saw (and used on my site):

User fills in SSL encrypted form, and POSTs to the server. Server authenticates, and spits out some script to redirect the client

<script language="JavaScript">
<!--
window.location.replace("~~ non-SSL URL ~~");
// -->
</script>

I figure the client side code is there to avoid this dialog.

这篇关于避免 SSL “您将被重定向到不安全的连接."信息的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！