Ask a Question

IE Protected Mode + SSL Login = No cookie for non-SSL pages

in Education by
(FWIW, I've posted this question to my blog as well: http://blog.wolffmyren.com/2011/07/11/ie-protected-mode-ssl/) Does anyone know how to work around Internet Explorer Protected Mode limitations without requiring the end-user to add our site to the Trusted Sites list? The problem is that if we enable SSL logins for our site, they can only access SSL pages. IE prevents our non-SSL served pages from accessing the cookie created during the SSL session, so we can either serve everything via SSL (very expensive/resource-intensive), or find some way to set an SSL and non-SSL cookie during the login process. This MSDN article (What does ielowutil.exe have to do with Internet Explorer 8.0?) has the most relevant information I’ve found yet, but it discusses using Windows APIs, and I’m looking for a solution I can implement with ASP.NET, JavaScript, or some other well-delivered solution. Update: A friend of mine shared these links, hopefully they'll help: http://www.leastprivilege.com/PartiallySSLSecuredWebAppsWithASPNET.aspx Partial SSL in ASP.NET Webforms without changing IIS configuration JavaScript questions and answers, JavaScript questions pdf, JavaScript question bank, JavaScript questions and answers pdf, mcq on JavaScript pdf, JavaScript questions and solutions, JavaScript mcq Test , Interview JavaScript questions, JavaScript Questions for Interview, JavaScript MCQ (Multiple Choice Questions)

1 Answer

0 votes
by
It looks like IIS is giving you secure cookies over your HTTPS connection, which is very sensible indeed. These cookies are designed not to be leaked to a plain HTTP connection, hence the result you get. You could create a secondary, non-secure cookie to pass some authentication information to the HTTP side of your site. However, once you've done this, don't assume that whatever was done or sent during the plain HTTP session was done by the legitimate authenticated user, if at some point you need to go back to HTTPS. It can be OK to pass an authentication token from HTTPS to HTTP, but not the other way. (You'd still be vulnerable to attacks in plain HTTP of course, but this may be an acceptable risk in your application.) There's more about this problem in this question (what applies to Tomcat would be the same with any web server, including IIS): Tomcat session management - url rewrite and switching from http to https

Related questions

0 votes
Q: Why can't I get rid of the "Cookie Preferences" box in IBM Watson when I am on Watson Knowledge Catalog pages?
    The Cookies Preferences box that always appears in the bottom right hand corner of the dataplatform.ibm.com ... Questions for Interview, JavaScript MCQ (Multiple Choice Questions)...
asked Apr 23, 2022 in Education by JackTerrance
0 votes
Q: Sitecore Login Issue No Users to Kick
    Has any else experienced when logging into to sitecore it says too many users are logged but when you ... Questions for Interview, JavaScript MCQ (Multiple Choice Questions)...
asked Jul 20, 2022 in Education by JackTerrance
0 votes
Q: noncanonical and non-echo mode not working with pipe
    Recently, I am trying to write a simple version of Linux command more. In order to do that, I ... JavaScript Questions for Interview, JavaScript MCQ (Multiple Choice Questions)...
asked May 19, 2022 in Education by JackTerrance
0 votes
Q: noncanonical and non-echo mode not working with pipe
    Recently, I am trying to write a simple version of Linux command more. In order to do that, I ... JavaScript Questions for Interview, JavaScript MCQ (Multiple Choice Questions)...
asked May 7, 2022 in Education by JackTerrance
0 votes
Q: Ionic non polar solid dielectrics contain more than one type of atoms but no permanent dipoles. State True/False
    Ionic non polar solid dielectrics contain more than one type of atoms but no permanent dipoles. ... by,electromagnetic theory engineering physics,electromagnetic theory nptel...
asked Nov 11, 2021 in Education by JackTerrance
0 votes
Q: The magnetic storage chip used to provide non-volatile direct access storage of data and that have no moving parts are known as
    The magnetic storage chip used to provide non-volatile direct access storage of data and that have no moving ... Storage topic in portion Recovery System of Database Management...
asked Oct 10, 2021 in Education by JackTerrance
0 votes
Q: the mode in which you can draw picture no computer screen
    the mode in which you can draw picture no computer screen (1) Graphic mode (2) text mode (3) input mode (4) output Select the correct answer from above options...
asked Dec 14, 2021 in Education by JackTerrance
0 votes
Q: Unable to configure SSL for Kafka Connect REST API
    I'm trying to configure SSL for Kafka Connect REST API (2.11-2.1.0). The problem I tried two ... , JavaScript Questions for Interview, JavaScript MCQ (Multiple Choice Questions)...
asked May 14, 2022 in Education by JackTerrance
0 votes
Q: Disable SSL check for install files action
    The "Install files" action is missing the option "accept all SSL certificates" (like other server ... Questions for Interview, JavaScript MCQ (Multiple Choice Questions)...
asked May 7, 2022 in Education by JackTerrance
0 votes
Q: In SSL, what is used for authenticating a message?
    In SSL, what is used for authenticating a message? (a) MAC (Message Access Code) (b) MAC (Message Authentication ... Security questions and answers pdf, mcq on Cyber Security pdf,...
asked Nov 5, 2021 in Education by JackTerrance
0 votes
Q: Git for Windows: SSL certificate problem: certificate has expired
    I am aware that Let's Encrypt made changes that may impact older clients because a root certificate would ... Questions for Interview, JavaScript MCQ (Multiple Choice Questions)...
asked Oct 23, 2021 in Education by JackTerrance
0 votes
Q: Select menu background goes black on IE for angular material md-select
    There is one issue with the angular material with IE-11 and IE-edge browsers, When the body content ... Questions for Interview, JavaScript MCQ (Multiple Choice Questions)...
asked Jul 20, 2022 in Education by JackTerrance
0 votes
Q: Browser Detection in ReactJS - Deny for IE
    I am looking to deny the use of IE for my reactjs application ... At the moment here is my App. ... , JavaScript Questions for Interview, JavaScript MCQ (Multiple Choice Questions)...
asked May 7, 2022 in Education by JackTerrance
0 votes
Q: Browser Detection in ReactJS - Deny for IE
    I am looking to deny the use of IE for my reactjs application ... At the moment here is my App. ... , JavaScript Questions for Interview, JavaScript MCQ (Multiple Choice Questions)...
asked May 7, 2022 in Education by JackTerrance
0 votes
Q: Why is it not a good idea to use SOAP for communicating with the front end (ie web browser)?
    Why is it not a good idea to use SOAP for communicating with the front end? For example, a web ... JavaScript Questions for Interview, JavaScript MCQ (Multiple Choice Questions)...
asked Mar 16, 2022 in Education by JackTerrance

© Copyright 2018-2023 www.Blogmepost.com. All rights reserved. Developed by Blogmepost.

...