| Author |
Topic |
|
SamC
White Water Yakist
3467 Posts |
 Posted - 2003-10-31 : 09:48:18
|
| I've added a digital certificate to one of our webs. The login.asp page forces references to be secure:https://login.aspThe <form ahref="https://loginpost.asp"> is also secure.Once the login is validated, the loginpost.asp page redirects to a "not secure" pageResponse.Redirect (http://homepage.asp)Now, IE 6.0 will pop-up a warning dialogue box saying the user is being redirected to an insecure page. The user's last action was clicking the SUBMIT button on the login page. It really looks awkward to receive a security alert right after submitting a username / password.Any way to gracefully transition without the IE POP-UP? I know other sites like hotmail.com manage to transition without a warning.Sam |
|
|
ehorn
Master Smack Fu Yak Hacker
1632 Posts |
Posted - 2003-10-31 : 09:54:49
|
| I believe this is a browser setting. It is controlled by the user. What I mean is the user has the ability to disable these warnings but it cannot be controlled via code or redirection techniques. |
 |
|
|
SamC
White Water Yakist
3467 Posts |
Posted - 2003-10-31 : 10:01:01
|
| Yes. But major websites have a solution to prevent this pop-up. I'd like to do the same.Sam |
|
|
|
ehorn
Master Smack Fu Yak Hacker
1632 Posts |
Posted - 2003-10-31 : 10:51:15
|
| I was doing some reading on this and it may be related to your SSL certificate provider - "Trusted Certificates VS Browser Recognized Certificates". You might try speaking with the certificate provider regarding this topic.Related reading - http://www.selfwebhosting.com/ssl-certificate.shtml |
|
|
|
SamC
White Water Yakist
3467 Posts |
Posted - 2003-10-31 : 11:04:02
|
| Different issue. IE is simply warning the user of the redirection from a secure (https) page to a non secure (http) page.Somehow, microsoft, amazon and others have suppressed this warning - you can login their sites, and no pop-up when transitioning to the http page when leaving the https page.Sam |
|
|
|
ehorn
Master Smack Fu Yak Hacker
1632 Posts |
Posted - 2003-10-31 : 11:08:04
|
| Interesting, When logging into Hotmail I do get a warning unless I explicitly check "In the future, Do not show this warning again." Sorry SamC no help here... |
|
|
|
mohdowais
Sheikh of Yak Knowledge
1456 Posts |
Posted - 2003-10-31 : 12:35:40
|
ehorn is right, Sam. Whenever I do a fresh install of a pc, and the first time I login to Hotmail, I always get this message "You are now leaving a secured page...blah...blah". And I get this message everytime, until I uncheck the "Do not show me this warning in the future" option on the message. But I am wondering, how come you get this message for your domain and not for hotmail? Is this web server of yours on the Intranet? I have a feeling this setting might be Zone-specific.Owais
Where there's a will, I want to be in it. |
|
|
|
SamC
White Water Yakist
3467 Posts |
Posted - 2003-10-31 : 13:12:21
|
| First, I want to acknowledge that I'm aware the pop-up can be disabled within IE on the client PC.I have IE on my PC. It'll pop-up the warning message on my wite that "I'm leaving a secure page"... (blah blah). It's the transition from https to http. Now, with the same PC, same IE, I can transition from https to http on Amazon, Microsoft, Hotmail and other major sites, without getting the popup.It's important to me that I solve this issue by NOT having to solve it on every client PC. It's a matter of fixing the issue in one place that I can control rather than every other place that I have no control over at all.Sam |
|
|
|
jackstow
Posting Yak Master
160 Posts |
Posted - 2003-11-04 : 06:12:47
|
| There's a solution to this that I came across on www.asp.net a while ago. Haven't used it myself but it could be worth a try - http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=108335 |
|
|
|
SamC
White Water Yakist
3467 Posts |
Posted - 2003-11-04 : 08:06:06
|
Thanks. I found the same solution elsewhere. I *wish* there were a server-side solution, but this JavaScript is getting the job done. I've added a link to non-ssl on the page (in the event the browser's JS is disabled. The meta-refresh tag below looks like a good backup to the JS too.<html> <head> <script language="JavaScript"> <!-- window.location.replace("http://www.yahoo.com"); // --> </script> <meta http-equiv="Refresh" content="0; url=http://www.yahoo.com"> </head> <body> </body></html> |
|
|
|
ehorn
Master Smack Fu Yak Hacker
1632 Posts |
Posted - 2003-11-04 : 08:08:06
|
| Thanks for posting your solution SamC. I'll have to try this out as we have develop many B2B sites which are SSL. |
|
|
|
SamC
White Water Yakist
3467 Posts |
Posted - 2003-11-04 : 08:23:11
|
If anyone's gonna try the code I used, here it is.<script language="javascript"><!-- function redir(){ window.location.href = "http://myurl.com/index.asp";}//--></script><body onload="redir();">I'm not a javascript guy, but it looks like the whole enchalada can be coded on a single line to me:<body onload-"window.location.href="http://myurl.asp">Then I'd add a link on the page (click here if this doesn't redirect). *At least* user's won't get a "you're being sneakily redirected to a non-secure page by some shyster host" message.Sam |
|
|
|
mohdowais
Sheikh of Yak Knowledge
1456 Posts |
Posted - 2003-11-05 : 00:39:55
|
Hey nice solution. Thanks.Owais
Where there's a will, I want to be in it. |
|
|
|
|
SSL Login problem