I’ve been working a fair bit on setting users’ homepages within business recently. First temptation was to point directly to the secure Extranet page, but more recently I’ve come to the conclusion this is a bad idea:
- For security reasons you probably want authentication on this page … even the basic authentication dialogue box takes a little while to load on slower systems. If the user wanted to do something else (normally go to Google…) this is nothing but an annoying interruption.
- Secure pages take longer to load than insecure pages. Any startup delay is simply irritating.
- The user may be in a non-private location or presenting something where displaying sensitive Intranet information is unwanted and could potentially be damaging to the business.
- Public wireless networks often redirect users to a sign-in portal. When this redirection occurs with HTTPS pages the user is often presented with a nasty and concerning security warning as the redirection system cannot interfere with HTTPS pages.
Thus, if setting users’ homepages I now prefer to create a non-secure landing page with basic tools such as Google search box and links to useful sites (including Intranet and webmail – these are, after all, secured resources)
By the way, if you’re using cookie-based authentication on your Intranet/Extranet don’t forget to ensure your cookies are set to be. secure. That way, they won’t leak on to an insecure network.