tags:

views:

20

answers:

1
+1  Q: 

Need url's to be non secure when moving away from a secured link (without hardcoded url's in html)?

I have an asp.net site. It has an order form which is accessible at https://secure.example.com/order.aspx. The links on the site do not include the domain name. So for example the home page is 'default.aspx'.

The issue is that if I click on a link like the home page from the secure page, the url becomes https://secure.example.com/default.aspx instead of http://www.example.com/default.aspx.

What's a good way to handle this? The scheme should automatically work using any domain name based on where it's launched from. So if the site is launched from 'localhost', moving away from the secured page, the url's should be http://localhost/...

The navigation links are in a master page.

+2  A: 

I suppose the best solution for this would be a http module.

The simplest implementation of it is posted below. useUnsecureConnection variable contains the value indicating whether moving away is required (should be calculated by yourself).

public class SecurityModule : IHttpModule
{
    #region IHttpModule Members
    public void Dispose()
    {
    }

    public void Init(HttpApplication application)
    {
        application.BeginRequest += new EventHandler(application_BeginRequest);
    }
    #endregion

    #region Events Handling
    protected void application_BeginRequest(object sender, EventArgs e)
    {
        HttpApplication application = ((HttpApplication)(sender));
        HttpRequest request = application.Request;
        HttpResponse response = application.Response;

        // here should be you condition to determine
        // whether to move away from secure page or not
        bool useUnsecureConnection = true;
        if (useUnsecureConnection && request.IsSecureConnection)
        {
            string absoluteUri = request.Url.AbsoluteUri;
            response.Redirect(absoluteUri.Replace("https://", "http://"), true);
        }
    }
    #endregion
}

And and of course don't forget to register module in your web.config:

        <httpModules>
                <!--Used to redirect secure connections to the unsecure ones
                    if necessary-->
                <add name="Security"
                     type="{YourNamespace}.Handlers.SecurityModule,
                     {YourAssembly}" />
                ...
        </httpModules>
    </system.web>

BTW, for localhost the condition may looks like:

useUnsecureConnection = request.IsLocal;

which will be true if the IP address of the request originator is 127.0.0.1 or if the IP address of the request is the same as the server's IP address.

Alex  2010-04-25 18:54:48

related questions

Autosizing Textarea
Regular expression for parsing links from a webpage?
What are good tools for creating compiled HTML help files (.chm)?
Looking for WYSIWYG HTML editor
Any reason not to start using the HTML 5 doctype?
HTML comments break down
HTML Comments Markup
Setting a div's height in HTML with CSS
Wrapping lists into columns
Is a "Confirm Email" input good practice when user changes email address?
<XMP> Tag
HTML version choice
Options for HTML scraping?
How do you disable browser Autocomplete on web form field / input tag?
How do I make a checkbox toggle from clicking on the text label as well?
Html CSS Editor
Wordpress theme development offline tools
How do I give my web sites an icon for iPhone?
In HTML, how to word-break on a dash?
Detecting font in JavaScript
How do you test layout design across multiple browsers/OSs?
How do I print an HTML document from a web service?
Multiple submit buttons on a HTML form
How can I determine a web user's time zone?
Why doesn't the percentage width child in absolutely positioned parent work in IE7?