Partial SSL in ASP.NET Webforms without changing IIS configuration

Question

We have a very simple ASP.NET web application comprising mostly static content and a single form which we want to protect with SSL. The secured page is in its own folder, but it inherits from an unsecured master page, and it shares some other resources (the logo, css file and some pictures) with the rest of the website. The site is hosted by a third-party, and changing the IIS configuration (or changing to a different host) is not an option.

As we understand, there are a few challenges when dealing with partial SSL on ASP.NET:

1. Preventing the “This page contains both secure and nonsecure items” message.
2. Providing support for relative URLs as they won’t work by default when redirecting to a secured page.

We don’t want to secure the whole site, because of the potential performance issues, so what is the best way to protect only one particular page or folder, guaranteeing at the same time that any resource loaded by this page will be secured as well?

Answer 1

I found the easiest way to do this is by adding code to the specific page that checks if the current request is using HTTPS. If it isn't, do a redirect to the same URL using HTTPS. Then, that whole page will load using SSL. Then, make sure that links or redirects to other pages use absolute HTTP. In other words, SSL can be enabled but not required for the whole site, and the web site's links will control when it gets used.

One way to make sure that all relative links on the site point to non-HTTPS URLs even if the current page is currently using HTTPS is to use the HTML base tag:

<head> 
  <base href="http://yourdomain/" /> 
</head>

Answer 2

SSL works on site level, not on folder level. Once you install SSL certificate your website could be accessed using https protocol, like so: https://www.example.com. At the same time, your website is still accessible at http://www.example.com - no performance issues.

Images and CSS files will be loaded using https protocol, as long as you use relative paths. Master page never gets requested by client separately so SLL doesn't really apply here.

Use this code to have absolute URL for a link:

<a href='<%= "https://" + Request.Url.Host + Page.ResolveUrl("~/Secure.aspx") %>'>Click me</a>

Answer 3

I ended up overriding the OnInit method on the page I wanted to secure, using the solution described here:

protected override void OnInit(EventArgs e)
{
    if (!Request.IsSecureConnection && !Request.IsLocal)
    {
        UriBuilder builder = new UriBuilder(Request.Url)
        {
            Scheme = Uri.UriSchemeHttps,
            Port = 443
        };
        Response.Redirect(builder.Uri.ToString());
    }
    base.OnInit(e);
}

For the rest of the pages, I inherited from a base page with the following code on the OnInit method:

protected override void OnInit(EventArgs e)
{
    if (Request.IsSecureConnection)
    {
        UriBuilder builder = new UriBuilder(Request.Url)
        {
            Scheme = Uri.UriSchemeHttp,
            Port = 80
        };
        Response.Redirect(builder.Uri.ToString());
    }
    base.OnInit(e);
}