Yes, if the IFrame source that the SourceForge logo is in was actually on the page when you get the mixed mode message then it would be a problem also, but you have corrected that by removing it from the page that has the SSL turned on.  You don't get a mixed mode message when you transfer to a page that does not have SSL, it only happens when you are on a page that has SSL and some of the content from that page is referenced on a non-secure layer.

There is a different kind of warning for when you navigate away from a page that has SSL to one that is not secure.  This is usually turned off by most people, but you can not correct that one by changing the output of your site.

I would disagree that the new SSL is handled correctly in DNN.  The multiple round trips to the server is far from optimal.

jbrinkman wrote I have done a complete analysis of the Javascript method you describe on your site and the implementation that we have in DotNetNuke and have shown how the DotNetNuke method is much more efficient.  If you have some other alternative we would be happy to evaluate it, but as of now, using server side redirects is clearly the most efficient method.

I too have come to that conclusion as well.  I am still looking for other ideas myself  as it does still appear to be slow at times, I'll post back here if I come up with anything.

John - My priorities are where they should be: making sure the community is getting the complete picture and is not just taking someone's word for it because they happen to post a lot to the forums. You have repeatedly said that the DotNetNuke SSL implementation is innefficient and you point people to your javascript tip as a better method - which it is not. The SSL implementation is completely independent of the login link implementation. In fact given that the two features were implemented in different releases just highlights this fact.  The configuration on your site for the login page is not related to the SSL implementation. Having a direct login page link is possible with or without SSL. I can create a login link on any DotNetNuke site that links directly to the login page without requiring a single change to any SSL code.  The only item that is different between the two SSL methods is how we redirect from HTTP to HTTPS. 

The very fact that you attempt to post more misleading information here just makes my point. If you go to the link http://www.snapsis.com?ctl=login your browser will issue an HTTP GET request on port 80 and will receive a complete page of 16342 bytes. This page will then change the location.href which will cause the browser to issue another GET request on port 443 which will recieve a second page of 16362 bytes. If this had used the SSL implementation from DotNetNuke then the first GET request would have resulted in in a 302 response of roughly 250 bytes. You completely ignored the analysis of the processing that occurs to build that first HTTP page you return, which the user never fully gets to see and which is therefore just wasted bandwidth usage. Using location.href is not magic. Your browser must still make a request back to the server to get the new page you have requested by changing the page location. So to answer your question no the browser is not causing a 302 redirect using your method. It is causing a whole request/response cycle which means rebuilding the whole page on the server and resending that page a second time using HTTPS. This is much less efficient than using a 302 redirect as indicated in my original analysis which you ignored.

I have not put any bias into my analysis which is why I included the raw XML in my Blog so that everyone could look at the raw numbers and come to their own conclusions.