tags:

views:

424

answers:

3
+5  Q: 

How do I do the OPPOSITE of [RequireHttps(Redirect=true)] in ASP.NET MVC

I know the easy way to get to an SSL page in ASP.NET MVC - via the [RequireSSL] attribute but I'm a little confused to the best way to do the opposite.

I have many links on my site in a header bar and most of those links don't require SSL and I don't want to still use SSL.

The futures project makes it very easy to redirect automatically to an SSL page with [RequireSSL(Redirect=true)], but it doesnt seem to make it easy to get out of this context and automatically redirect back to http.

What am I missing?

+4  A: 

You're not missing anything; there is no out-of-the-box functionality for this. You can easily create your own by taking the RequireSslAttribute source and modifying it.

Levi  2009-07-21 17:49:06
does it make sense to do this? i cant see any issue with it myself, but then it leaves me wondering why it isnt a standard feature. am i going to get those annoying 'you have been redirected to an insecure page' errors?
Simon_Weaver  2009-07-21 20:46:34
It's not a standard feature because there isn't enough incentive to include it. Similarly, [RequireSsl] hasn't been moved out of Futures and into the main binary because even though it's tested, it hasn't yet gone through specification, review, and documentation.If you're concerned about warnings, perhaps it's best to generate HTTP links instead of HTTPS links in the first place. There are Html.ActionLink() overloads that accept a protocol as a parameter.
Levi  2009-07-21 23:29:29
A: 

This is well worth reading (epecially to realize the security implications of switching carelessly back to http from https :

Partially SSL Secured Web Apps With ASP.NET - not MVC specific but relevant security concerns

Partial SSL Website with ASP.NET MVC - MVC friendly

It's quite a complicated issue overall. Still haven't found a true solution to everything I want to do, but thought these articles may help others.

Simon_Weaver  2009-11-06 04:12:40
A: 

Answer from a dupe question elsewhere:

How to step out from https to http mode in asp.net mvc.

CAUTION: If choosing to use this approach your auth cookie will be sent over plain text after switching back to HTTP, and can potentially be stolen and used by someone else. See this. In other words - if you were using this for a bank site you would need to make sure that switching to http would first log the user out.

public class DoesNotRequireSSL: ActionFilterAttribute 
    {
        public override void OnActionExecuting(ActionExecutingContext filterContext) 
        {
                var request = filterContext.HttpContext.Request;
                var response = filterContext.HttpContext.Response;

                if (request.IsSecureConnection && !request.IsLocal) 
                {
                string redirectUrl = request.Url.ToString().Replace("https:", "http:");
                response.Redirect(redirectUrl);
                }
                base.OnActionExecuting(filterContext);
        }
    }
Simon_Weaver  2009-11-06 04:18:43

related questions

What's the best way to implement field validation using ASP.NET MVC?
How do I handle page flow in MVC (particularly asp.net)
Entity diagrams in ASP.NET MVC
How do I get rid of Home in ASP.Net MVC?
Can I generate ASP.NET MVC routes from a Sitemap?
ASP.NET Model-view-controller (MVC) - where do I start from?
user controls and asp.net mvc
ASP.Net MVC route mapping
RSS Feeds in ASP.NET MVC
Open Source Licensing Options for ASP.NET MVC Application?
Does the OutputCacheFilter in the Microsoft MVC Preview 4 actually save on action invocations?
MVC Learning Resources
Validating posted form data in the ASP.NET MVC framework
Best mock framework that can do both WebForms and MVC?
Use the routing engine for form submissions in ASP.NET MVC Preview 4
How do you get a custom id to render using HtmlHelper in MVC
MVC Preview 4 - No route in the route table matches the supplied values.
Is there a way to include a fragment identifier when using Asp.Net MVC ActionLink, RedirectToAction, etc. ?
In ASP.NET MVC I encounter an incorrect type error when rendering a user control with the correct typed object
ASP.NET MVC - Is it worth it yet?
Multiple languages in an ASP.NET MVC application?
Is it better to create Model classes, or just stick with generic database utility class?
ASP.NET MVC Without Visual Studio
ASP.NET MVC "CRUD" Database Sample
How to RedirectToAction in ASP.NET MVC without losing request data