ansaurus

Question

ASP.NET: best practice for redirecting to https

Answer 1

+1 A:

http://www.raoulpop.com/2007/08/07/automatic-redirect-from-http-to-https/

It's done in the webserver.

chris 2009-12-16 20:51:01

Answer 2

+1 A:

I would call the Response.Redirect in page_load. It is simpler than generating the javascript, and will send fewer bytes to the client.

Code example

Ray 2009-12-16 20:51:19

Ray - That's a great point about fewer bytes being sent when using the CodeFile logic instead of javascript which is sent in every request. Thanks

Justin C 2009-12-16 21:24:55

When redirecting via js you also have to think about clients without js or with js disabled, which would make the application less secure. Server-side validation is lighter and more secure.

Ariel 2009-12-18 15:36:40

Answer 3

+7 A:

I'd use URL rewriting to do that. Why? because it's simple to implement, requires no modifications to the application, and is easy to maintain.

On IIS7 you can accomplish that using URL rewrite module, for example:

<!-- http:// to https:// rule -->
<rule name="ForceHttpsBilling" stopProcessing="true">
  <match url="(.*)billing/(.*)" ignoreCase="true" />
  <conditions>
    <add input="{HTTPS}" pattern="off" ignoreCase="false" />
  </conditions>
  <action type="Redirect" redirectType="Found" url="https://{HTTP_HOST}{REQUEST_URI}" />
</rule>

On IIS6 you'll have to use a 3rd party library. I use IIRF (http://www.codeplex.com/IIRF) it's free, stable, and has a good amount of features.

Ariel 2009-12-17 00:54:10

Thanks for adding an example Pavel. I'm still on IIS6 so haven't gotten dirty with IIS7's rewrite module. It does look promising though :)

Ariel 2009-12-18 15:34:36

Answer 4

+1 A:

Actually the best practice would be to do this in one of three places, assuming hardware or IIS settings are not an option. Just code options.

In an HTTPModule. HttpModules are ran before any request is processed, so you could do the URL check and redirect there. This is what I would do.
In Global.asax.
In a custom base page, in the init function.

All of those would be good options. One and two are guaranteed to be hit by every request processed by ASP.NET. The third one requires that you make sure all of your pages inherit from the base page.

I would not put the code in each page, that's just bad programming.

Let me know if you need more clarification, but this is a good start.

Clarence Klopfstein 2009-12-17 04:11:12

+1 very valid answer have no idea why anyone DV'd

Chris Marisic 2010-05-11 20:15:38

Answer 5

A:

Generally, there are specific parts of the site that you either want to always be HTTPS, or HTTP.

I use the following action attribute to convert the traffic either to one or another:

public class ForceConnectionSchemeAttribute : ActionFilterAttribute
{
    private string scheme;

    public ForceConnectionSchemeAttribute(string scheme)
    {
        this.scheme = scheme.ToLower();
    }

    public override void OnActionExecuting(ActionExecutingContext filterContext)
    {
        Uri url = filterContext.HttpContext.Request.Url;
        if (url.Scheme != scheme)
        {
            string secureUrl = String.Format("{0}://{1}{2}", scheme, url.Host, url.PathAndQuery);
            filterContext.Result = new RedirectResult(secureUrl);
        }
    }
}


// Suppose I always want users to use HTTPS to access their personal info:
[ForceConnectionScheme("https")]
public class UserController: Controller
{
    // blah
}

Andy 2010-01-03 12:27:55

ansaurus

tags:

views:

answers:

ASP.NET: best practice for redirecting to https

related questions