Secure ASP.NET
SSL and ASP.NET 2.0
By Don Kiely
Secure Sockets Layer, SSL, is one of the easiest ways to add a strong layer of security to a Web application. Supported by pretty much all modern Web servers and browsers, all it takes is a trusted digital certificate and a moment of effort to protect an entire Web application. In an ideal world, all legitimate sites would enable SSL for the entire site, which would eliminate many common attacks and make phishing harder. With modern server horsepower and ample bandwidth, we re close to the ideal. Nonetheless, not everyone has the bandwidth, and some companies are stuck believing that SSL for an entire site adds too much overhead. So for the foreseeable future, we ll have to deal with protecting only portions of a site: the pages that actually transmit sensitive data, such as login credentials, credit card numbers, and so on. That gets a little trickier and requires some thought and effort, but not much.
A couple of recent posts by my fellow Visual Developer-Security MVP, Dominick Baier, got me thinking about SSL. I ve had to grapple with SSL a lot in the last six months because of a client s Web project. Only in the most polite way can the project be referred to as a legacy application. It s an ASP.old application that has been screaming for a major overhaul for years. Not just because it is ASP, but because the developers who have worked on it over the years clearly didn t have a clue about how to secure a Web site. One egregious example is that the SSL pages are scattered all over this rather large site, with hard-coded links that use the https: prefix rather than segregating the pages requiring protection, making it a maintenance nightmare. To make matters worse, many non-sensitive pages use SSL and many sensitive pages don t.
Fortunately, the client is gearing up for the long overdue overhaul, so soon it will be a bright, shiny ASP.NET 2.0 application (and probably built using DotNetNuke, an ASP.NET 2.0-based framework for building enterprise Web applications). One of the many things we ll be cleaning up is how the site uses SSL, using the cool new features in ASP.NET 2.0 to do it.
Enter Dominick s blog post, Partially SSL Secured Web Apps with ASP.NET, which highlights some of those SSL features. The requireSSL attribute of the httpCookies element requires that compliant browsers send cookies over SSL to protect their content, and you can use the same attribute with forms authentication. Other parts of the post cover how to automatically redirect to the SSL-protected version of a page when the user uses http: instead. Dominick even provides the code for a helper object so that you can do this, using relative paths rather than hard-coding the https: prefix (a major problem in my client s site):
SslTools.Redirect("~/ssl/default.aspx", RedirectOptions.AbsoluteHttps);
If you re interested in ASP.NET security or .NET security in general add Dominick s blog to your RSS aggregator. He s a smart guy and writes interesting stuff.
There are a few issues that you re likely to encounter as you implement SSL on an ASP.NET 2.0 site. I just stumbled on an interesting article on the Microsoft support site, SSL Termination and ASP.NET. Don t be put off by the introduction about putting an SSL device between the client and Web server. The article addresses two issues you re sure to encounter: the ever-annoying This page contains both secure and nonsecure items. Do you want to display the nonsecure items? message and a problem with repeated redirects to the FormsAuthentication login page when you use the requireSSL attribute.
SSL is one of the best security features we have for Web applications, so it s worth the time to learn about what ASP.NET 2.0 has to offer. SSL isn t perfect, but getting it right will go a long way toward making your site secure.
Don Kiely, MVP, MCSD, is a senior technology consultant, building custom applications as well as providing business and technology consulting services. His development work involves tools such as SQL Server, Visual Basic, C#, ASP.NET, and Microsoft Office. He writes regularly for several trade journals, and trains developers in database and .NET technologies. You can reach Don at mailto:[email protected] and read his blog at http://www.sqljunkies.com/weblog/donkiely/.
