Re: SSL for ASP.NET MVC
Tom, It is something you can turn on later but you have to develop with a mindset for your eventual usage scenario. Develop locally without cert Frequently deploy to dev server that has cert Test in dev to make sure you don't introduce mixed secure/insecure content If the content can't be served directly from your secure site then consider alternative content that can If you must ensure secure connection then look at the http context object , I believe you can check secure connection state there If you're backing onto sql data store be mindful of sql injection attacks Always understand that, ultimately, your app might be deployed into an environment where the secure connection is terminated at a border device and the environment owners are comfortable with a http connection inside. Sorry about the formatting, I'm sending this from my mobile. -- noonie On 28/11/2014 3:41 pm, Tom P tompbi...@gmail.com wrote: Hi Joseph Just the fact that I'm not really up to speed on how this SSL business all works yet and didn't want to hold up development. I was curious to see if it was something that could be simply turned on later but seems like that's not the case. Sounds like I will be playing with SSL from the get-go as you say. Thanks Tom On 28 November 2014 at 13:34, Joseph Cooney joseph.coo...@gmail.com wrote: Rather than defer the change from HTTP to HTTPS to post development, what would the downside be to generating a self-signed certificate in IIS and using SSL from the get-go? Joseph On Fri, Nov 28, 2014 at 12:10 PM, Tom P tompbi...@gmail.com wrote: Thank you Glav and Michael. Lots of info here. Will spend some time on this to figure out what's going on, it's all over my head at the moment Thanks Tom On 28 November 2014 at 10:13, Paul Glavich subscripti...@theglavs.com wrote: External content can be tricky since you do not control whether its available via https so check on that. Additionally, don’t do something like script src=” http://somewhere/jquery.js” As when you go to SSL it will complain about loading insure content and fail. For the most part, using MVC and relative Url’s you should not have to worry about it. If you need to embed some externals, you can optionally use the “//” syntax which adopts the browsers scheme when loading them so script src=”//somewhere/jquery.js” Will equate to http://somewhere/jquery.js or https://somewhere/jquery.js depending on whether your site is using SSL or not. Also, if using forms auth, you can enforce your login to be SSL via authentication mode=Forms forms loginUrl=~/login timeout=2880 *requireSSL**=**true* / /authentication You could leave this out in development config but include in release config. There is also the [RequireSSL] attribute as well. See http://weblog.west-wind.com/posts/2014/Jun/18/A-dynamic-RequireSsl-Attribute-for-ASPNET-MVC -Glav *From:* ozdotnet-boun...@ozdotnet.com [mailto: ozdotnet-boun...@ozdotnet.com] *On Behalf Of *Michael Ridland *Sent:* Friday, 28 November 2014 8:49 AM *To:* ozDotNet *Subject:* Re: SSL for ASP.NET MVC Hi Tom It can be more complicated than that, take a look at this. http://nickcraver.com/blog/2013/04/23/stackoverflow-com-the-road-to-ssl/ On Fri, Nov 28, 2014 at 8:40 AM, Tom P tompbi...@gmail.com wrote: Hi Noonie That sounds good. So it can be turned on later on if necessary. Is it necessary for me to demand SSL for LogIn type methods as those should definitely be secure in a live environment? It doesn't concern me while developing but it scares me to think the administrators may simply forget to turn on SSL and then LogIn details will float around not encrypted and the blame will find me somehow. Thanks Tom On 27 November 2014 at 20:35, noonie neale.n...@gmail.com wrote: Tom, You can ignore all that stuff as it should have nothing to do with your web application. It's a server thing when running behind IIS etc. and all the magic happens lower down the stack. -- noonie On 27/11/2014 4:20 pm, Tom P tompbi...@gmail.com wrote: Noob question here. How would I go about adding SSL to a MVC site? Is it simply a matter of turning a switch on in the server somewhere and the admins can do it or do things need to be done in code? I am reading a whole variety of ways such as adding attributes, filters, configuration settings, cookie properties, certificates and so on. Seems complicated. I was under the impression I could do without it in development and have it simply turned on once it goes live. Is this not the case? Thanks Tom -- w: http://jcooney.net t: @josephcooney
Re: SSL for ASP.NET MVC
Tom, You can ignore all that stuff as it should have nothing to do with your web application. It's a server thing when running behind IIS etc. and all the magic happens lower down the stack. -- noonie On 27/11/2014 4:20 pm, Tom P tompbi...@gmail.com wrote: Noob question here. How would I go about adding SSL to a MVC site? Is it simply a matter of turning a switch on in the server somewhere and the admins can do it or do things need to be done in code? I am reading a whole variety of ways such as adding attributes, filters, configuration settings, cookie properties, certificates and so on. Seems complicated. I was under the impression I could do without it in development and have it simply turned on once it goes live. Is this not the case? Thanks Tom
Re: SSL for ASP.NET MVC
Hi Noonie That sounds good. So it can be turned on later on if necessary. Is it necessary for me to demand SSL for LogIn type methods as those should definitely be secure in a live environment? It doesn't concern me while developing but it scares me to think the administrators may simply forget to turn on SSL and then LogIn details will float around not encrypted and the blame will find me somehow. Thanks Tom On 27 November 2014 at 20:35, noonie neale.n...@gmail.com wrote: Tom, You can ignore all that stuff as it should have nothing to do with your web application. It's a server thing when running behind IIS etc. and all the magic happens lower down the stack. -- noonie On 27/11/2014 4:20 pm, Tom P tompbi...@gmail.com wrote: Noob question here. How would I go about adding SSL to a MVC site? Is it simply a matter of turning a switch on in the server somewhere and the admins can do it or do things need to be done in code? I am reading a whole variety of ways such as adding attributes, filters, configuration settings, cookie properties, certificates and so on. Seems complicated. I was under the impression I could do without it in development and have it simply turned on once it goes live. Is this not the case? Thanks Tom
Re: SSL for ASP.NET MVC
Hi Tom It can be more complicated than that, take a look at this. http://nickcraver.com/blog/2013/04/23/stackoverflow-com-the-road-to-ssl/ On Fri, Nov 28, 2014 at 8:40 AM, Tom P tompbi...@gmail.com wrote: Hi Noonie That sounds good. So it can be turned on later on if necessary. Is it necessary for me to demand SSL for LogIn type methods as those should definitely be secure in a live environment? It doesn't concern me while developing but it scares me to think the administrators may simply forget to turn on SSL and then LogIn details will float around not encrypted and the blame will find me somehow. Thanks Tom On 27 November 2014 at 20:35, noonie neale.n...@gmail.com wrote: Tom, You can ignore all that stuff as it should have nothing to do with your web application. It's a server thing when running behind IIS etc. and all the magic happens lower down the stack. -- noonie On 27/11/2014 4:20 pm, Tom P tompbi...@gmail.com wrote: Noob question here. How would I go about adding SSL to a MVC site? Is it simply a matter of turning a switch on in the server somewhere and the admins can do it or do things need to be done in code? I am reading a whole variety of ways such as adding attributes, filters, configuration settings, cookie properties, certificates and so on. Seems complicated. I was under the impression I could do without it in development and have it simply turned on once it goes live. Is this not the case? Thanks Tom
RE: SSL for ASP.NET MVC
External content can be tricky since you do not control whether its available via https so check on that. Additionally, don’t do something like script src=”http://somewhere/jquery.js” As when you go to SSL it will complain about loading insure content and fail. For the most part, using MVC and relative Url’s you should not have to worry about it. If you need to embed some externals, you can optionally use the “//” syntax which adopts the browsers scheme when loading them so script src=”//somewhere/jquery.js” Will equate to http://somewhere/jquery.js or https://somewhere/jquery.js depending on whether your site is using SSL or not. Also, if using forms auth, you can enforce your login to be SSL via authentication mode=Forms forms loginUrl=~/login timeout=2880 requireSSL=true / /authentication You could leave this out in development config but include in release config. There is also the [RequireSSL] attribute as well. See http://weblog.west-wind.com/posts/2014/Jun/18/A-dynamic-RequireSsl-Attribute-for-ASPNET-MVC -Glav From: ozdotnet-boun...@ozdotnet.com [mailto:ozdotnet-boun...@ozdotnet.com] On Behalf Of Michael Ridland Sent: Friday, 28 November 2014 8:49 AM To: ozDotNet Subject: Re: SSL for ASP.NET MVC Hi Tom It can be more complicated than that, take a look at this. http://nickcraver.com/blog/2013/04/23/stackoverflow-com-the-road-to-ssl/ On Fri, Nov 28, 2014 at 8:40 AM, Tom P tompbi...@gmail.com mailto:tompbi...@gmail.com wrote: Hi Noonie That sounds good. So it can be turned on later on if necessary. Is it necessary for me to demand SSL for LogIn type methods as those should definitely be secure in a live environment? It doesn't concern me while developing but it scares me to think the administrators may simply forget to turn on SSL and then LogIn details will float around not encrypted and the blame will find me somehow. Thanks Tom On 27 November 2014 at 20:35, noonie neale.n...@gmail.com mailto:neale.n...@gmail.com wrote: Tom, You can ignore all that stuff as it should have nothing to do with your web application. It's a server thing when running behind IIS etc. and all the magic happens lower down the stack. -- noonie On 27/11/2014 4:20 pm, Tom P tompbi...@gmail.com mailto:tompbi...@gmail.com wrote: Noob question here. How would I go about adding SSL to a MVC site? Is it simply a matter of turning a switch on in the server somewhere and the admins can do it or do things need to be done in code? I am reading a whole variety of ways such as adding attributes, filters, configuration settings, cookie properties, certificates and so on. Seems complicated. I was under the impression I could do without it in development and have it simply turned on once it goes live. Is this not the case? Thanks Tom
Re: SSL for ASP.NET MVC
Thank you Glav and Michael. Lots of info here. Will spend some time on this to figure out what's going on, it's all over my head at the moment Thanks Tom On 28 November 2014 at 10:13, Paul Glavich subscripti...@theglavs.com wrote: External content can be tricky since you do not control whether its available via https so check on that. Additionally, don’t do something like script src=” http://somewhere/jquery.js” As when you go to SSL it will complain about loading insure content and fail. For the most part, using MVC and relative Url’s you should not have to worry about it. If you need to embed some externals, you can optionally use the “//” syntax which adopts the browsers scheme when loading them so script src=”//somewhere/jquery.js” Will equate to http://somewhere/jquery.js or https://somewhere/jquery.js depending on whether your site is using SSL or not. Also, if using forms auth, you can enforce your login to be SSL via authentication mode=Forms forms loginUrl=~/login timeout=2880 *requireSSL**=**true* / /authentication You could leave this out in development config but include in release config. There is also the [RequireSSL] attribute as well. See http://weblog.west-wind.com/posts/2014/Jun/18/A-dynamic-RequireSsl-Attribute-for-ASPNET-MVC -Glav *From:* ozdotnet-boun...@ozdotnet.com [mailto: ozdotnet-boun...@ozdotnet.com] *On Behalf Of *Michael Ridland *Sent:* Friday, 28 November 2014 8:49 AM *To:* ozDotNet *Subject:* Re: SSL for ASP.NET MVC Hi Tom It can be more complicated than that, take a look at this. http://nickcraver.com/blog/2013/04/23/stackoverflow-com-the-road-to-ssl/ On Fri, Nov 28, 2014 at 8:40 AM, Tom P tompbi...@gmail.com wrote: Hi Noonie That sounds good. So it can be turned on later on if necessary. Is it necessary for me to demand SSL for LogIn type methods as those should definitely be secure in a live environment? It doesn't concern me while developing but it scares me to think the administrators may simply forget to turn on SSL and then LogIn details will float around not encrypted and the blame will find me somehow. Thanks Tom On 27 November 2014 at 20:35, noonie neale.n...@gmail.com wrote: Tom, You can ignore all that stuff as it should have nothing to do with your web application. It's a server thing when running behind IIS etc. and all the magic happens lower down the stack. -- noonie On 27/11/2014 4:20 pm, Tom P tompbi...@gmail.com wrote: Noob question here. How would I go about adding SSL to a MVC site? Is it simply a matter of turning a switch on in the server somewhere and the admins can do it or do things need to be done in code? I am reading a whole variety of ways such as adding attributes, filters, configuration settings, cookie properties, certificates and so on. Seems complicated. I was under the impression I could do without it in development and have it simply turned on once it goes live. Is this not the case? Thanks Tom
Re: SSL for ASP.NET MVC
Rather than defer the change from HTTP to HTTPS to post development, what would the downside be to generating a self-signed certificate in IIS and using SSL from the get-go? Joseph On Fri, Nov 28, 2014 at 12:10 PM, Tom P tompbi...@gmail.com wrote: Thank you Glav and Michael. Lots of info here. Will spend some time on this to figure out what's going on, it's all over my head at the moment Thanks Tom On 28 November 2014 at 10:13, Paul Glavich subscripti...@theglavs.com wrote: External content can be tricky since you do not control whether its available via https so check on that. Additionally, don’t do something like script src=” http://somewhere/jquery.js” As when you go to SSL it will complain about loading insure content and fail. For the most part, using MVC and relative Url’s you should not have to worry about it. If you need to embed some externals, you can optionally use the “//” syntax which adopts the browsers scheme when loading them so script src=”//somewhere/jquery.js” Will equate to http://somewhere/jquery.js or https://somewhere/jquery.js depending on whether your site is using SSL or not. Also, if using forms auth, you can enforce your login to be SSL via authentication mode=Forms forms loginUrl=~/login timeout=2880 *requireSSL**=**true* / /authentication You could leave this out in development config but include in release config. There is also the [RequireSSL] attribute as well. See http://weblog.west-wind.com/posts/2014/Jun/18/A-dynamic-RequireSsl-Attribute-for-ASPNET-MVC -Glav *From:* ozdotnet-boun...@ozdotnet.com [mailto: ozdotnet-boun...@ozdotnet.com] *On Behalf Of *Michael Ridland *Sent:* Friday, 28 November 2014 8:49 AM *To:* ozDotNet *Subject:* Re: SSL for ASP.NET MVC Hi Tom It can be more complicated than that, take a look at this. http://nickcraver.com/blog/2013/04/23/stackoverflow-com-the-road-to-ssl/ On Fri, Nov 28, 2014 at 8:40 AM, Tom P tompbi...@gmail.com wrote: Hi Noonie That sounds good. So it can be turned on later on if necessary. Is it necessary for me to demand SSL for LogIn type methods as those should definitely be secure in a live environment? It doesn't concern me while developing but it scares me to think the administrators may simply forget to turn on SSL and then LogIn details will float around not encrypted and the blame will find me somehow. Thanks Tom On 27 November 2014 at 20:35, noonie neale.n...@gmail.com wrote: Tom, You can ignore all that stuff as it should have nothing to do with your web application. It's a server thing when running behind IIS etc. and all the magic happens lower down the stack. -- noonie On 27/11/2014 4:20 pm, Tom P tompbi...@gmail.com wrote: Noob question here. How would I go about adding SSL to a MVC site? Is it simply a matter of turning a switch on in the server somewhere and the admins can do it or do things need to be done in code? I am reading a whole variety of ways such as adding attributes, filters, configuration settings, cookie properties, certificates and so on. Seems complicated. I was under the impression I could do without it in development and have it simply turned on once it goes live. Is this not the case? Thanks Tom -- w: http://jcooney.net t: @josephcooney
Re: SSL for ASP.NET MVC
Hi Joseph Just the fact that I'm not really up to speed on how this SSL business all works yet and didn't want to hold up development. I was curious to see if it was something that could be simply turned on later but seems like that's not the case. Sounds like I will be playing with SSL from the get-go as you say. Thanks Tom On 28 November 2014 at 13:34, Joseph Cooney joseph.coo...@gmail.com wrote: Rather than defer the change from HTTP to HTTPS to post development, what would the downside be to generating a self-signed certificate in IIS and using SSL from the get-go? Joseph On Fri, Nov 28, 2014 at 12:10 PM, Tom P tompbi...@gmail.com wrote: Thank you Glav and Michael. Lots of info here. Will spend some time on this to figure out what's going on, it's all over my head at the moment Thanks Tom On 28 November 2014 at 10:13, Paul Glavich subscripti...@theglavs.com wrote: External content can be tricky since you do not control whether its available via https so check on that. Additionally, don’t do something like script src=” http://somewhere/jquery.js” As when you go to SSL it will complain about loading insure content and fail. For the most part, using MVC and relative Url’s you should not have to worry about it. If you need to embed some externals, you can optionally use the “//” syntax which adopts the browsers scheme when loading them so script src=”//somewhere/jquery.js” Will equate to http://somewhere/jquery.js or https://somewhere/jquery.js depending on whether your site is using SSL or not. Also, if using forms auth, you can enforce your login to be SSL via authentication mode=Forms forms loginUrl=~/login timeout=2880 *requireSSL**=**true* / /authentication You could leave this out in development config but include in release config. There is also the [RequireSSL] attribute as well. See http://weblog.west-wind.com/posts/2014/Jun/18/A-dynamic-RequireSsl-Attribute-for-ASPNET-MVC -Glav *From:* ozdotnet-boun...@ozdotnet.com [mailto: ozdotnet-boun...@ozdotnet.com] *On Behalf Of *Michael Ridland *Sent:* Friday, 28 November 2014 8:49 AM *To:* ozDotNet *Subject:* Re: SSL for ASP.NET MVC Hi Tom It can be more complicated than that, take a look at this. http://nickcraver.com/blog/2013/04/23/stackoverflow-com-the-road-to-ssl/ On Fri, Nov 28, 2014 at 8:40 AM, Tom P tompbi...@gmail.com wrote: Hi Noonie That sounds good. So it can be turned on later on if necessary. Is it necessary for me to demand SSL for LogIn type methods as those should definitely be secure in a live environment? It doesn't concern me while developing but it scares me to think the administrators may simply forget to turn on SSL and then LogIn details will float around not encrypted and the blame will find me somehow. Thanks Tom On 27 November 2014 at 20:35, noonie neale.n...@gmail.com wrote: Tom, You can ignore all that stuff as it should have nothing to do with your web application. It's a server thing when running behind IIS etc. and all the magic happens lower down the stack. -- noonie On 27/11/2014 4:20 pm, Tom P tompbi...@gmail.com wrote: Noob question here. How would I go about adding SSL to a MVC site? Is it simply a matter of turning a switch on in the server somewhere and the admins can do it or do things need to be done in code? I am reading a whole variety of ways such as adding attributes, filters, configuration settings, cookie properties, certificates and so on. Seems complicated. I was under the impression I could do without it in development and have it simply turned on once it goes live. Is this not the case? Thanks Tom -- w: http://jcooney.net t: @josephcooney
SSL for ASP.NET MVC
Noob question here. How would I go about adding SSL to a MVC site? Is it simply a matter of turning a switch on in the server somewhere and the admins can do it or do things need to be done in code? I am reading a whole variety of ways such as adding attributes, filters, configuration settings, cookie properties, certificates and so on. Seems complicated. I was under the impression I could do without it in development and have it simply turned on once it goes live. Is this not the case? Thanks Tom