I was wondering, how can implement HTTPS on one part of website?
Let`s say, I want to create internet shop. I want to be able browse all items without HTTPS (it is faster right?). And when I want to make a payment, then I want to use HTTPS.
As much as I have read in other articles, when IIS is configured to use HTTPS, the configuration is applied for whole site 🙁
P.S. another question. What if I want the shop to be available only for users who already have accounts (it means users have to login to enter the shop)? Then user adds items to basket and then goes to the payment page (which is using HTTPS). Do they have to have another account dedicated for checkout and login to it in HTTPS page?
There’s nothing wrong with using HTTPS for an entire website – in fact it’s encouraged. There was a performance downside to using HTTPS for all requests back in the 1990s when computer hardware wasn’t as powerful as today, but now the only reason not to do all-site-HTTPS is that you can’t afford the $20 a certificate costs 🙂
Anyway, the articles you’ve read are half-right. HTTPS support can only be enabled on a per-website basis, however you don’t need to make HTTPs mandatory for an entire site: this is controlled by the “Require SSL/TLS” checkbox in IIS. If you leave that checkbox unchecked then users can still browse the site using non-secured HTTP. When it comes to the checkout page, then you can implement the “Require SSL/TLS” feature in your ASP.NET code (check the
Request.IsSecureConnectionproperty), such as by doing a redirection to the secure version of your site.