|
SSL Shared Certificate -
uses and limitations
An option on your hosting account is the
setup and use of a shared certificate allowing
you to encrypt your sensitive pages using
unbreakable 128-bit SSL encryption.
A certificate is installed on each of our
web servers and on request we'll set up
a virtual directory for you pointing to
a directory called 'ssl' inside your account.
The URL for your secure pages will be anonymous
and in the form of :
https://dn-*-secure.com/username
(where * denotes the DotNetted web server
your site in installed on)
Cookies and Session Variables
When you move between your shared SSL directory
and the rest of your web site you are effectively
moving from one web site and domain to another
and any session variables or other cookies
created will be destroyed - you need to
find another way of passing information
between the pages.
The most common way to do this is to either
post the information from one page to the
other via a form (or query string) or to
save that info to your database, move to
the other 'site' and then retrieve the info
back from the database.
Security Warnings
Every item that is displayed inside your
secure pages, e.g. images or style sheets,
MUST be served from your SSL directory other
wise you will receive an error message stating
that some items in the page are insecure.
/bin directory .dll's
If you wish to use your own .NET .dll files
(via the /bin directory) on your secure
pages you'll need to create a /bin directory
under your SSL directory and place copies
of your .dll's in here. This is because
the SSL pages run under a separate virtual
directory and application so can't access
the /bin files of your main account.
Forcing a https / SSL connection
To force a connection into secure (https://)
mode all you need to do is call the FULL
URL of the page, for instance if you had
an online store and the checkout was to
be held on your secure directory in a page
called checkout.asp then links in your site
to the checkout page would be absolute in
the form of :
https://dn-*-secure.com/username/checkout.asp
To ensure that visitors cannot accidentally
get to your payments pages in non-secure
mode use the following piece of code at
the top of all your secure pages :
<%
If Request.ServerVariables("HTTPS")
= "off" Then
Response.Redirect("https://dn-*-secure.com/username/pagename.asp")
End If
%>
On hitting your page this code will check
whether a https connection has been initiated,
and if not, redirect to the page through
the correct secure URL.
Please note :
SSL should only be used where absolutely
required as the encryption is very CPU intensive
using around 10 times the resources of the
equivalent non SSL page. This leads to higher
server loads and slower page load times
for your visitors.
|
