I'm using the IIS 7 rewrite module to redirect a page to use https if http is detected.
Is it possible that the rewrite module can be bypassed? Would be overkill to also put in an https check in the page_load code as well?
views:
16answers:
1
+1
A:
If you want to force SSL the best way to do it is using only the port 443. If you only need SSL in some pages of your website my recommendation is to move these files into a special web application or virtual directory. Doing this you can force the SSL connection for these files without worrying about rewrite rules. You can check how to do it here: http://learn.iis.net/page.aspx/144/how-to-set-up-ssl-on-iis-7/
Allowing HTTP and HTTPS connections to the same resource can be used to perform a cookie stealing attack if the application cookies are not using the "Secure" attribute.
Pedro Laguna
2010-09-02 00:56:54
Thanks. The link you provided showed me how to use appcmd to require SSL for a directory or a file and it looks like it's working. IIS redirects to a 403.4 page, but I can use a custom error page to redirect to the SSL version.
Steve
2010-09-02 20:56:13