ansaurus

Question

Answer 1

+2 A:

Some ActionLink extensions: http://www.squaredroot.com/post/2008/06/11/MVC-and-SSL.aspx Or an controller action attribute that redirects to https:// http://forums.asp.net/p/1260198/2358380.aspx#2358380

David Laing 2008-10-01 10:10:14

Answer 2

+1 A:

Here's a blog post by Pablo M. Cibrano from January 2009 that gathers up a couple of techniques including a HttpModule and extension methods.

Robin M 2009-04-21 07:52:36

Answer 3

+1 A:

Here's a blog post by Adam Salvo that uses an ActionFilter.

Robin M 2009-04-21 07:58:56

make sure you see the follow post he wrote himself : http://blog.salvoz.com/2009/04/25/PartialSSLAndAuthorizationWithAspNetMVCRevisited.aspx

Simon_Weaver 2009-07-12 19:49:55

Answer 4

+8 A:

MVCFutures has a 'RequireSSL' attribute.

(thanks Adam for pointing that out in your updated blogpost)

Just apply it to your action method, with 'Redirect=true' if you want an http:// request to automatically become https:// :

    [RequireSsl(Redirect = true)]

See also: ASP.NET MVC RequireHttps in Production Only

Simon_Weaver 2009-07-12 20:01:03

Would I have to subclass it in order to handle localhost requests?

Mr Rogers 2009-11-05 02:46:41

one way is to create a certificate for your local machine and use that. i think to completely disable it for localhost you would indeed need to subclass or duplicate the code. not sure what the recommended approach is

Simon_Weaver 2009-11-05 07:46:34

Looks like it's sealed so I'd need to dupe the code. Bummer.The certificate for the local machine would only work in IIS though right, not the dev web server.

Mr Rogers 2009-11-05 16:55:48

@mr rogers - take a look at this : http://stackoverflow.com/questions/1639707/asp-net-mvc-requirehttps-in-production-only/1639831#1639831

Simon_Weaver 2009-11-06 05:54:32

Answer 5

+6 A:

Here's a recent post from Dan Wahlin on this:

http://weblogs.asp.net/dwahlin/archive/2009/08/25/requiring-ssl-for-asp-net-mvc-controllers.aspx

He uses an ActionFilter Attribute.

klabranche 2009-08-25 20:20:32

This looks to be the best way at the moment.

Slack 2009-10-11 04:41:28

+1 a year later as the isLocal call helped me resolve an issue that was becoming a real pain in the @@@

kekekela 2010-08-04 14:06:06

Answer 6

+9 A:

If you are using ASP.NET MVC 2 Preview 2 or higher, you can now simply use:

[RequireHttps]
public ActionResult Login()
{
   return View();
}

Though, the order parameter is worth noting, as mentioned here.

Amadiere 2010-03-01 21:03:31

You can also do this on the controller level. Better yet, if you want the entire application to be SSL, you can create a base controller, extend it for all controllers, and apply the attribute there.

ashes999 2010-08-22 16:50:28

Answer 7

+2 A:

As Amadiere wrote, [RequireHttps] works great in MVC 2 for entering HTTPS. But if you only want to use HTTPS for some pages as you said, MVC 2 doesn't give you any love - once it switches a user to HTTPS they're stuck there until you manually redirect them.

The approach I used is to use another custom attribute, [ExitHttpsIfNotRequired]. When attached to a controller or action this will redirect to HTTP if:

The request was HTTPS
The [RequireHttps] attribute wasn't applied to the action (or controller)
The request was a GET (redirecting a POST would lead to all sorts of trouble).

It's a bit too big to post here, but you can see the code here plus some additional details.

Luke Sampson 2010-03-25 05:38:38

Answer 8

A:

This isn't necessarily MVC specific, but this solution does work for both ASP.NET WebForms and MVC:

http://www.codeproject.com/KB/web-security/WebPageSecurity_v2.aspx

I've used this for several years and like the separation of concerns and management via the web.config file.

2010-06-08 13:41:10

ansaurus

tags:

views:

answers:

SSL pages under ASP.NET MVC

related questions