preparing我的ASP.NET / MVC站点使用SSL? [英] Preparing my ASP.NET / MVC site to use SSL?
问题描述
我准备对我的主机安装了SSL证书。
I'm getting ready to have an SSL cert installed on my hosting.
这是我的理解是(和纠正我,如果我错了...):
It is my understanding that (and correct me if i'm wrong...):
-
在托管人安装证书,我就能够浏览我的网站上的HTTP或HTTPS(什么都不会阻止我继续使用HTTP)?
Once the hosting guys install the cert, I will be able to browse my site on Http or Https (nothing will stop me from continuing to use Http)?
我需要做的唯一一件事,就是添加逻辑(MVC中,控制器的属性/过滤器的情况下),迫使某些页面,我选择的,重定向到HTTPS(例如,添加[RequiresHttps ]属性谨慎)。
The only thing I need to do, is add logic (in the case of MVC, controller attributes/filters) to force certain pages, of my choosing, to redirect to Https (for instance, adding a [RequiresHttps] attribute sparingly).
我担心做任何额外的东西用这些东西来确保我使用SSL正常吗?我不知道如果我需要改变的东西与具有做逻辑:
Do i have to worry about doing anything extra with these things to make sure i'm using SSL properly? I'm not sure if I need to change something with logic having to do with:
-
饼干
Cookies
贝宝前preSS集成
另外,我计划将只对购物车,结账,登录,帐户和管理页面[RequiresHttps。我想离开我的产品浏览/ HTTP的购物页面,因为我听说有使用HTTPS的详细开销。这是正常/可接受/ OK?
Also, i plan on adding [RequiresHttps] only on the shopping cart, checkout, login, account, and administration pages. I wish to leave my product browsing/shopping pages on Http, since I heard there is more overhead for using Https. Is this normal/acceptable/ok?
还有一个问题...我知道ASP.NET存储在验证cookie的形式某些登录信息。它是好的,用户HTTPS页面内登录,但随后回去可以浏览在HTTP页面?我想知道如果创建一个安全漏洞,因为用户登录,并在再次的Http浏览。这是否毁了使用SSL的地步?
One more question... I know ASP.NET stores some login information in the form of a Auth cookie. It is okay that a user logs in within an Https page, but then can go back and browse in an Http page? I'm wondering if that creates a security weakness since the user is logged in and browsing in Http again. Does that ruin the point of using SSL?
我是那种在这个对于新手的......这样有利于将AP preciated。
I'm kind of a newb at this... so help would be appreciated.
推荐答案
您的问题入手,在一,(1)是没有什么会阻止你为用于同一页面的HTTP醚HTTPS
Starting with your questions, on one, (1) yes nothing will stop you to use for the same pages http ether https.
和(2)是您需要添加哪些页面将只显示为HTTPS,什么是HTTP 你的逻辑。如果有人想知道,为什么不显示所有的HTTPS的原因是速度,当你把他们作为HTTPS页面是更大的EN code /德code是需要一点点,因此,如果您不需要HTTPS,只需将其切换到HTTP。
and (2) Yes you need to add your logic on what page will be show only as https and what as http. If some one wondering, why not show all as https the reason is the speed, when you send them as https the page are bigger and the encode/decode is take a little bit more, so if you do not need https, just switch it to http.
<一个href=\"http://www.$c$cproject.com/Articles/5523/Switching-Between-HTTP-and-HTTPS-Automatically\">Switching HTTP和HTTPS之间自动是一个非常好的code用于切换逻辑快速和容易的实现。
Switching Between HTTP and HTTPS Automatically is a very good code to use for the implementation of switching logic fast and easy.
在该cookie与使用者的凭证做,那么你需要迫使它只能与安全页面进行传输。什么这意味着,意味着,如果你设置以https一个cookie,这个cookie是不是非安全页面上传输,所以保持安全,并在中间有一个人不能偷。这里的技巧是,这个cookie无法在HTTP页面看的 - 这样你就可以知道用户是A或B只能安全网页
When the cookie have to do with the credential of the user then you need to force it to be transmitted only with secure page. What this mean, mean that if you set a cookie with https, this cookie is NOT transmitted on non secure page, so is stay secure and a man in the middle can not steal it. The tip here is that this cookie can not be read on http pages - so you can know that the user is A, or B only on secure page.
是的,这是正常的:因为信息不是那么特别离开的产品和不安全的连接车。当你成为用户真正的数据,如姓名,电子邮件地址等你启动HTTPS页面。
Yes this is normal : to leave the products and the cart on unsecured connection because the information is not so special. You start the https page when you be on user real data, like name, email, address etc.
如果将它设置为仅安全,那么这个饼干不显示/读/存在不安全的页面上。这是一个问题,如果你不能让它只固定
If you set it as secure only, then this cookies not show/read/exist on unsecured page. It is an issue if you not make it secure only.
Response.Cookies[s].Secure = true;
几声
我们做的安全和非安全的网页是什么,我们实际上分为两个部分用户数据。一个是安全的,一个是不。所以我们实际上使用两个饼干,一个安全,一个并不安全。
Few more words
What we do with secure and non secure page is that we actually split the user data in two parts. One that is secure and one that is not. So we use actually two cookies, one secure and one not secure.
在没有安全cookie是例如一个连接所有产品上的车,或者用户的也许是历史(什么产品看)这也是我们实际上并不关心,如果有一个人得到它,因为即使一个代理可以从网址用户历史看,还是什么用户看到的。
The not secure cookie is for example the one that connect all the products on the cart, or maybe the history of the user (what products see) This is also that we do not actually care if some one get it because even a proxy can see from the url the user history, or what user see.
该安全cookie是认证,即保持对用户的一些关键信息。因此,非安全cookie是无处不在页面上的用户来说,安全是只对查出来,就登录了,等等。
The secure cookie is the authentication, that keep some critical information for the user. So the non secure cookie is with the user everywhere on the pages, the secure is only on check out, on logged in, etc.
MSDN如何:保护窗体身份验证在ASP.NET 2.0中结果
<一href=\"http://stackoverflow.com/questions/6561483/setting-up-ssl-page-only-on-login-page/6561544\">Setting SSL的页面只有登录页面结果
<一href=\"http://stackoverflow.com/questions/2498599/can-some-hacker-steal-the-cookie-from-a-user-and-login-with-that-name-on-a-web-s\">Can一些黑客从用户窃取cookie并在网站上使用该名称登录?
这篇关于preparing我的ASP.NET / MVC站点使用SSL?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
