ansaurus

Question

Answer 1

A:

You could use a base class for all of your controllers, and decorate that with the require ssl attribute.

DanP 2010-07-19 20:58:16

I (or another team member) don't want to accidentally forget to add the attribute to a new controller, or likewise, forget to inherit from the base class. We want it to be foolproof.

CodeGrue 2010-07-19 21:02:12

@CodeGrue: you could always add a unit test that asserts that all of your controllers use this attribute; see my recent question regarding the serializable attribute: http://stackoverflow.com/questions/3257004/how-to-determine-if-all-objects-are-serializable-in-a-given-namespace

DanP 2010-07-19 21:05:23

Answer 2

A:

You could always add a check at the application level in your global.asax

protected void Application_BeginRequest(Object sender, EventArgs e)
{
   if (HttpContext.Current.Request.IsSecureConnection == false)
   {
    Response.Redirect("https://" + Request.ServerVariables["HTTP_HOST"] + HttpContext.Current.Request.RawUrl);
   }
}

Todd Smith 2010-07-19 21:19:02

Answer 3

A:

I ended up using IIS URL Rewrite 2.0 to force the site to switch to HTTPS. This code in web.config does the trick:

  <system.webServer>
    <!-- This uses URL Rewrite 2.0 to force the entire site into SSL mode -->
    <rewrite xdt:Transform="Insert">
      <rules>
        <rule name="Force HTTPS" enabled="true">
          <match url="(.*)" ignoreCase="false" />
          <conditions>
            <add input="{HTTPS}" pattern="off" />
          </conditions>
          <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" appendQueryString="true" redirectType="Permanent" />
        </rule>
      </rules>
    </rewrite>
  </system.webServer>

CodeGrue 2010-07-20 13:25:30

ansaurus

tags:

views:

answers:

MVC RequireHttps entire site

related questions