Serve Login Page using HTTPS

Login page should be served using HTTPS\SSL. Note this is the serving of the login page not just the post back once user details are entered. Otherwise it is possible for someone to tamper with the page contents and you may find your users posting their details to a different site and stolen.

Many people think of HTTPS\SSL as a technology that encrypts data. The aspects it provides are
1) It ensures the data was received from the correct Server in the first place
2) It ensures the data was not altered
3) Finally it encrypts the data so it cannot be read on the wire

Many people regard 1 + 2 as the main benefits.

Consideration should be given to whether all content should be over HTTPS\SSL as the cost of doing so is minimal (HTTPS requires a little more processing power usually considered to be 1%). In order to set your cookie secure flag https will be required for all authenticated content anyway.

HSTS headers can be used to further encourage all content over HTTPS.

Leave a Reply Cancel reply

Enter your comment here...

Fill in your details below or click an icon to log in:

Email (required) (Address never made public)

Name (required)

Website

You are commenting using your WordPress.com account. ( Log Out / Change )

You are commenting using your Google account. ( Log Out / Change )

You are commenting using your Twitter account. ( Log Out / Change )

You are commenting using your Facebook account. ( Log Out / Change )

Cancel

Connecting to %s

	CRSF (ASP.NET MVC):… on CSRF – Cross Site Reques…
	CRSF (ASP.NET MVC):… on CSRF – AntiForgeryToken…
	WeakBroken Authentic… on CSRF – Cross Site Reques…
	WeakBroken Authentic… on RequireSSL – Marking Coo…
	WeakBroken Authentic… on Mark Cookies as HTTPONLY

ASP.NET MVC Security

Learn about secure ASP.NET MVC sites

Share this:

Like this:

Related

Leave a Reply Cancel reply