Hi Joseph Just the fact that I'm not really up to speed on how this SSL business all works yet and didn't want to hold up development. I was curious to see if it was something that could be simply turned on later but seems like that's not the case. Sounds like I will be playing with SSL from the get-go as you say.
Thanks Tom On 28 November 2014 at 13:34, Joseph Cooney <joseph.coo...@gmail.com> wrote: > Rather than defer the change from HTTP to HTTPS to post development, what > would the downside be to generating a self-signed certificate in IIS and > using SSL from the get-go? > > Joseph > > On Fri, Nov 28, 2014 at 12:10 PM, Tom P <tompbi...@gmail.com> wrote: > >> Thank you Glav and Michael. Lots of info here. Will spend some time on >> this to figure out what's going on, it's all over my head at the moment >> >> Thanks >> Tom >> >> >> On 28 November 2014 at 10:13, Paul Glavich <subscripti...@theglavs.com> >> wrote: >> >>> External content can be tricky since you do not control whether its >>> available via https so check on that. >>> >>> >>> >>> Additionally, don’t do something like <script src=” >>> http://somewhere/jquery.js”> >>> >>> As when you go to SSL it will complain about loading insure content and >>> fail. For the most part, using MVC and relative Url’s you should not have >>> to worry about it. If you need to embed some externals, you can optionally >>> use the “//” syntax which adopts the browsers scheme when loading them so >>> >>> >>> >>> <script src=”//somewhere/jquery.js”> >>> >>> Will equate to http://somewhere/jquery.js or https://somewhere/jquery.js >>> depending on whether your site is using SSL or not. >>> >>> >>> >>> Also, if using forms auth, you can enforce your login to be SSL via >>> >>> <authentication mode="Forms"> >>> >>> <forms loginUrl="~/login" timeout="2880" *requireSSL**=**"true"* /> >>> >>> </authentication> >>> >>> >>> >>> >>> >>> You could leave this out in development config but include in release >>> config. There is also the [RequireSSL] attribute as well. See >>> http://weblog.west-wind.com/posts/2014/Jun/18/A-dynamic-RequireSsl-Attribute-for-ASPNET-MVC >>> >>> >>> >>> >>> >>> - Glav >>> >>> >>> >>> *From:* ozdotnet-boun...@ozdotnet.com [mailto: >>> ozdotnet-boun...@ozdotnet.com] *On Behalf Of *Michael Ridland >>> *Sent:* Friday, 28 November 2014 8:49 AM >>> *To:* ozDotNet >>> *Subject:* Re: SSL for ASP.NET MVC >>> >>> >>> >>> Hi Tom >>> >>> >>> >>> It can be more complicated than that, take a look at this. >>> >>> >>> >>> http://nickcraver.com/blog/2013/04/23/stackoverflow-com-the-road-to-ssl/ >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> On Fri, Nov 28, 2014 at 8:40 AM, Tom P <tompbi...@gmail.com> wrote: >>> >>> Hi Noonie >>> >>> >>> >>> That sounds good. So it can be turned on later on if necessary. >>> >>> >>> >>> Is it necessary for me to "demand" SSL for LogIn type methods as those >>> should definitely be secure in a live environment? It doesn't concern me >>> while developing but it scares me to think the administrators may simply >>> forget to turn on SSL and then LogIn details will float around not >>> encrypted and the blame will find me somehow. >>> >>> >>> >>> >>> >>> Thanks >>> >>> Tom >>> >>> >>> >>> >>> >>> >>> >>> On 27 November 2014 at 20:35, noonie <neale.n...@gmail.com> wrote: >>> >>> Tom, >>> >>> You can ignore all that stuff as it should have nothing to do with your >>> web application. >>> >>> It's a "server thing" when running behind IIS etc. and all the magic >>> happens lower down the stack. >>> >>> -- >>> noonie >>> >>> On 27/11/2014 4:20 pm, "Tom P" <tompbi...@gmail.com> wrote: >>> >>> Noob question here. >>> >>> >>> >>> How would I go about adding SSL to a MVC site? Is it simply a matter of >>> turning a switch on in the server somewhere and the admins can do it or do >>> things need to be done in code? I am reading a whole variety of ways such >>> as adding attributes, filters, configuration settings, cookie properties, >>> certificates and so on. Seems complicated. I was under the impression I >>> could do without it in development and have it simply "turned on" once it >>> goes live. Is this not the case? >>> >>> >>> >>> >>> >>> Thanks >>> >>> Tom >>> >>> >>> >>> >>> >> >> > > > -- > > w: http://jcooney.net > t: @josephcooney >
