would it be possible to set a switch in the config file to force the login.aspx file to https: to support secure login for where SSL is enabled?

thanks.

Hi, justing getting back to this after installing 2.1 on a server with SSL.

I tried the following code change in the config as suggested. I had set the site to force a login. To address that I put the login.aspx form in the /anon/ subdirectory which allows everyone to read. I hard wired in both the https and the http return as below. I actually got the site to login fine however the page would redirect back to the main menu page. Although the user was logged in it keep showing the login screen. If I hit the "All Albums" menu at the top of the page I could get into the site and bypass the login.

<authentication mode="Forms">
<forms loginUrl="https://www.yourdomain.com/anon/login.aspx" defaultUrl="http://www.yourdomain.com/default.aspx" protection="All" timeout="129600" slidingExpiration="true"/>
</authentication>

Any other thoughts would be great. I really only need SSL for the initial login page.

Thanks.!

When I set in the config file:

<authorization>
<deny users="?" />
</authorization>

it forces a login page to be displayed in the center of the page. When I enter the login information the user is logged in the "All Albums" menu shows up on the top etc hower the login page continues to be displayed. The return URL string is here:

/login.aspx?ReturnUrl=%2fgsp%2fDefault.aspx

and points to the right relative location (I have the site installed in /gsp/ virtual directory).

I tried adding loginUrl="https://www.mydomain.com/gallery/login.aspx" to the web.config and the login page appeared still using http:. Now the GSP app works if we go ahead and enter https://www.mydomain.com/gallery when connecting. I do not know of the SSL slows down the file retrieval however. I think that we want to use SSL for the login page to protect our AD passwords and then have it switch back to http: otherwise.
When we select "require SSL" for the IIS Authentication then we get this error if we attempt using http:.
System.Web.HttpException
The application is configured to issue secure cookies. These cookies require the browser to issue the request over SSL (https protocol). However, the current request is not over SSL.

On another site we did edit the 403.4 error page to execute this URL and that works for that site. Still the https: stays active for all of the subsequent request and does not go back to http:.
<!-- beginning of HttpsRedirect.htm file -->
<script type="text/javascript">
function redirectToHttps()
{
var httpURL = window.location.hostname + window.location.pathname;
var httpsURL = "https://" + httpURL ;
window.location = httpsURL ;
}
redirectToHttps();
</script>
<!-- end of HttpsRedirect.htm file -->

This method does not work for us on this GSP app and instead we still get this error:
Exception Type System.Web.HttpException
Message The application is configured to issue secure cookies. These cookies require the browser to issue the request over SSL (https protocol). However, the current request is not over SSL.
Source System.Web
Target Site Void SetAuthCookie(System.String, Boolean, System.String)
Stack Trace at System.Web.Security.FormsAuthentication.SetAuthCookie(String userName, Boolean createPersistentCookie, String strCookiePath)
at System.Web.UI.WebControls.Login.AttemptLogin()
at System.Web.UI.WebControls.Login.OnBubbleEvent(Object source, EventArgs e)
at System.Web.UI.Control.RaiseBubbleEvent(Object source, EventArgs args)
at System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument)
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

Not sure if this will help, But you can as I undystand it add the following to web.config
I used the following to direct all traffic to https://secure.domain.com and appears to work fine.
<rewrite>
<rules>
<rule name="NON WWW to SECURE redirect" enabled="true" patternSyntax="ECMAScript" stopProcessing="true">
<match url=".*" />
<conditions>
<add input="{HTTP_HOST}" pattern="^domain.com$" />
</conditions>
<action type="Redirect" url="https://secure.domain.com/{R:0}" appendQueryString="true" redirectType="Permanent" />
</rule>
<rule name="WWW to SECURE redirect" enabled="true" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTP_HOST}" pattern="www.domain.com" />
</conditions>
<action type="Redirect" url="https://secure.domain.com/{R:0}" appendQueryString="true" redirectType="Permanent" />
</rule>
<rule name="HTTP to HTTPS redirect" enabled="true" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" appendQueryString="true" redirectType="Permanent" />
</rule>
</rules>
</rewrite>