I've been given the task of updating an Asp.Net web application we have hosted externally.
I've set up a local development environment (.Net Framework 1.1, MS SQL Server, IIS (Windows XP Pro) ).
Now most of our local web app works fine...
but when I try to get to our login page (which uses SSL) I get the standard "The Page Cannot Be Displayed" DSN error page).
The config file mentions something about testing not having access to SSL ports and such, so I set SSL to false in the web.config file, nothing changed and I have no clue what to do.
ASPX pages beyond logon work correctly and return "not logged in"... so only the secure area doesn't work. Could it be something to do with the redirecting from http:// to https://?
Are there any other differences in configuration in such development environments?
note: you are going to need to open another port on the router and all like you would with your http but for https since ssl/https does run on an alternate port if you have not already.
After more reseach I discovered that I do need a "certificate" although I don't have one, is this something that is easily obtainable?
Are all certificates created equal, for example, if I got one, would it be just as compatible as the one my Host Service uses for this app?
When Developing from the same machine that I have the app on, why would I need to change anything on the Router? I should be able to do this without any network connection correct? I just need a local setup, testing using //localhost/ works for all the non secure pages!
Would it be easier to just bypass the security, for example remove the code that adds the security to the login page? I don't need this security on the local computer, I just need to be able to test other pages while being "logged in". So if the login page was ran without ssl here, I'd be happy.
What should i be looking for to remove?
Um, yes it would be easier. If you are not using ssl, you are not using https and then do not need a certificate. I was assumeing you were using ssl for remote use and to do that you would need to open up another port. SSL is pointles for remote use because you do not have to worrie about hackers intercepting passwords or getting content that is non encrypted when you are not doing anything over the internet.
Alright, SSL is used on the Production server (hosted by someone else), I don't need it for my development server and it is only used for 1 or 2 pages.
So how do I go about removing this?
I have found lines like "Replace(http://,https://)" which I assume would do the trick if removed.
I do however run into another (not sure if related) problem.
There is an index.aspx page (codebehind is index.aspx.cs).
This page redirects to the login.aspx (codebehind is login.aspx.cs).
At the top of the html code in index.aspx is the <@...> tag, and it includes an "inherits..." part. Also index.aspx.cs has a line that redirects to login.aspx. The inheritance part is also in the login.aspx file.
Here is what happens:
loading index.aspx with the changes below:
no inheritance, no redirection = index.aspx
no inheritance, redirection = index.aspx
inheritance, no redirection = login.aspx
inheritance, redirection = login.aspx
loading index with inheritance code in login.aspx:
no inheritance, no redirection = index.aspx
no inheritance, redirection = index.aspx
inheritance, no redirection = DSN error
inheritance, redirection = DSN error
It appears that only with the inheritance in, there is code being ran (but gives DSN errors hinting at SSL being used). Seems like the .cs files whether changed or not, make no difference! So how do I update this application?
well if your script is using ssl, but you are doing http:// and not allowing it to use ssl it is not going to work. Stop using the login page all together or test it remotely would be my suggestions. Or get a certificate to do the local testing.
Could you/someone answer the following questions if possible?
What does it take to get a certificate that works with an existing application?
How hard is it to remove the code that makes the login use SSL? After all its just 1 or two pages! I just want to use this without security.
What are the steps/configuration to have my local copy use the code in aspx.cs files and not the inherited classes? Each aspx page has a "codebehind" setting and an "inherits" setting which seems to override the codebehind.
Heh, now we are getting into language structure and OO. Inheritance is a little difficult to explain but it relates to children taking the properties of a parent. I can't just give you a solution that is going to work in all situations for your object oriented / scripting problems, you are going to need to really get in touch with what every language you use to do your asp.net. As for the logins my answer is 'maybe'. I know thats a non answer but it really depends on if you are using system auth, sessions, and other things. It depends on how they were made. You are going to be checking to make sure the user is logged in on each page obviously so you are going to need to take code out on each page, then if you are doing any encryption for passwords you are going to have more playing to do. If you wrote it you should not have any problems taking it out.... What is your deal, you are working on a site some other guy made or something? As for the certificate, IIS has a wizard you can get to in the properties of your default website that will create a request for the certificate and you would send this request to get it.
You can also install a 14 day trial version that you can use to test and understand SSL.
How this works
For IIS, open the IIS snap-in on your local machine. Navigate to your web site and open up the propeties. Select Directory Security. Click the button for server certificates. This will open up the Web Server Certificate Wizard. Select create a new certificate. Select prepaire the request now but send later. Provide your details that will be used to identify your site. Save them to a text file.
This text file contains the required information a SSL company needs to provide you with a certificate.
Once you have your certificate which is just a file, you can then run the same wizard. This time select "Process the pending request and install the certificate". Browse and select the *.cer file provided by verisign.
Once installed this will allow you to run https:// pages. Normally you aplly this to one folder in your site and any pages you want to secure you put them in that folder. Any you don't want secured you leave out of the folder.
To answer some of your questions.
SSL pages do not require code in your page to make it https://.
Look shockingly **** and wouldn't trust it with any sensitive information my clients would send over the internet, but good for an example for the guy.
It doesn't tell you what strength the encription is????
128 bit... But of course I would not use it myself for running an ecommerce site, but why pay for something you are just using for local testing and learning that is not going to be moving any real credit card #s
Thanks for the input guys... It really doesn't matter what the SSL security is like, it can be nothing at all for my purposes, I'm not trying to test the login page, it already works and needs no updates.
When it comes to authentication, what seems to happen is this: index.aspx forwards to login.aspx but before it does so, it changes the URI from http to https by using string.replace... that is the only "security code" I see in the .cs files, which is what made me think that by removing this replace code, it would work in http without SSL. Once the user is logged in, a session var is set for user details. The following pages are through http again, so no more security required.
As for the cs files not being updated, well, being new to this, I assumend that cs files were compiled run-time like jsp or asp files before... now I know that I need to compile them into a DLL file.
So my only problem now, is figuring out how to compile using CSC (since I can't afford VS.NET at the moment). I tried it, but even with a minor change in the code (which is not the problem), csc returns many errors 116 and 101. I have a bunch of subdirectories containing cs files, so I have to somehow compile everything into one dll... not sure how to do it (although I heard that VS uses csc in the background, so there must be a way). I looked at some docs on csc but they don't tell me how to compile many cs files (most in subdirectories) into one dll file, nor do they explain why I'm getting these errors, when I know that these files were compiled before (not by me) but through VS.
Thanks for the input guys... It really doesn't matter what the SSL security is like, it can be nothing at all for my purposes, I'm not trying to test the login page, it already works and needs no updates.
Reply With Quote
gotta make it work
.
Bookmarks