After you configure your server to use SSL, you can request any page from your Web site using a secure connection. To retrieve a Web page using SSL, use an address of the form https ://www.yourdomain.com/page.aspx rather than the normal http://www.yourdomain.com/page.aspx . This form works for any page at your Web site.
You can force users to use SSL when requesting pages from your Web site. To do so, open the property sheet for a directory or a single page within the Internet Services Manager and choose the Directory Security or File Security tab. Next, click the Edit button under Secure Communications and choose Require Secure Channel When Accessing This Resource. If you want to require 128-bit SSL, click the Encryption Settings button and choose Require 128-Bit Encryption.
When you're requesting credit card information, it is a good idea to provide both a secure and an unsecure version of the form for collecting the information. Even though SSL is as old as Netscape 1.0, strangely enough, some browsers still do not support it. To enable users to choose between the two versions of the same page, simply provide two different links:
<a href="https://www.yourdomain.com/pay.aspx">Pay Now (secure version)</a> <a href="http://www.yourdomain.com/pay.aspx">Pay Now (unsecure version)</a>
Within the pay.aspx page itself, you can detect whether the page is being requested using SSL. If a user is requesting a page unsecurely, you might want to provide a warning. The page in Listing 21.1 contains a subroutine that detects and reports the security status of an ASP.NET page (see Figure 21.3).
Listing 21.1 IsSecureConnection.aspx
<Script Runat="Server"> Sub Page_Load If Request.IsSecureConnection Then lblMessage.Text = "You are using a secure connection" lblMessage.Text &= "<br><b>Issuer:</b>" lblMessage.Text &= Request.ServerVariables( "CERT_SERVER_ISSUER" ) lblMessage.Text &= "<br><b>Subject</b>" lblMessage.Text &= Request.ServerVariables( "CERT_SERVER_SUBJECT" ) lblMessage.Text &= "<br><b>Encryption Key Size:</b>" lblMessage.Text &= Request.ServerVariables( "CERT_KEYSIZE" ) lblMessage.Text &= "<br><b>Certificate Key Size:</b>" lblMessage.Text &= Request.ServerVariables( "CERT_SECRETKEYSIZE" ) lblMessage.ForeColor = System.Drawing.Color.Green Else lblMessage.Text = "You are not using a secure connection" lblMessage.ForeColor = System.Drawing.Color.Red End If End Sub </Script> <html> <head><title>IsSecureConnection.aspx</title></head> <body> <asp:Label ID="lblMessage" Runat="Server" /> <p> Please enter your credit card information, your social security number, your yearly income, and your favorite color. </body> </html>
The C# version of this code can be found on the CD-ROM.
Figure 21.3. Reporting security status.
In the Page_Load subroutine in Listing 21.1, the IsSecureConnection property of the Request object detects whether the page was requested using SSL. If the page was requested using SSL, several properties of the secure connection are reported , such as the name of the issuer of the certificate and the encryption key size.