我不需要将整个网站置于 SSL(https://) 下,而只需将 Payment Controller 置于其下。
[RequireHttps] 可以仅用于该 Controller 还是应该应用于每个 Controller ?
谢谢!
最佳答案
这取决于您所说的“好的”是什么意思。如果您有敏感信息,那么您真的应该将 SSL 应用于整个站点,否则其中一个关键因素,即身份验证 cookie,可能会被劫持并使您的 SSL 变得毫无意义。
我的一般经验是,如果站点的一部分需要 SSL,那么整个站点都应该是 SSL。我什至不确定你为什么认为这是一个问题。的确,SSL 需要稍微多一点的资源,但这只是您第一次连接,之后,SSL 就没有明显的开销。
参见 http://blogs.msdn.com/b/rickandy/archive/2011/05/02/securing-your-asp-net-mvc-3-application.aspx
Many web sites log in via SSL and redirect back to HTTP after you’re logged in, which is absolutely the wrong thing to do. Your login cookie is just as secret as your username + password, and now you’re sending it in clear-text across the wire. Besides, you’ve already taken the time to perform the handshake and secure the channel (which is the bulk of what makes HTTPS slower than HTTP) before the MVC pipeline is run, so redirecting back to HTTP after you’re logged in won’t make the current request or future requests much faster.
关于.net - SSL 和 ASP.NET MVC,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/15148558/