tags:

views:

41

answers:

3
+1  Q: 

ASP.NET MVC: How to automatically disable [RequireHttps] on localhost?

I want my login page to be SSL only:

    [RequireHttps]
    public ActionResult Login()
    {
        if (Helper.LoggedIn)
        {
            Response.Redirect("/account/stats");
        }

        return View();
    }

But obviously it doesn't work on localhost when I develop and debug my application. I don't wanna use IIS 7 with SSL certificates, how can I automatically disable the RequireHttps attribute?

Update

Based on info provided by StackOverflow users and ASP.NET MVC 2 source code I created the following class that solves the problem.

public class RequireSSLAttribute : FilterAttribute, IAuthorizationFilter
{
    public virtual void OnAuthorization(AuthorizationContext filterContext)
    {
        if (filterContext == null)
        {
            throw new ArgumentNullException("filterContext");
        }

        if (!filterContext.HttpContext.Request.IsSecureConnection)
        {
            HandleNonHttpsRequest(filterContext);
        }
    }

    protected virtual void HandleNonHttpsRequest(AuthorizationContext filterContext)
    {
        if (filterContext.HttpContext.Request.Url.Host.Contains("localhost")) return;

        if (!String.Equals(filterContext.HttpContext.Request.HttpMethod, "GET", StringComparison.OrdinalIgnoreCase))
        {
            throw new InvalidOperationException("The requested resource can only be accessed via SSL");
        }

        string url = "https://" + filterContext.HttpContext.Request.Url.Host + filterContext.HttpContext.Request.RawUrl;
        filterContext.Result = new RedirectResult(url);
    }
}

And it's used like this:

[RequireSSL]
public ActionResult Login()
{
    if (Helper.LoggedIn)
    {
        Response.Redirect("/account/stats");
    }

    return View();
}
+2  A:  
#if (!DEBUG)
[RequireHttps]
#endif
public ActionResult Login()
{
    if (Helper.LoggedIn)
    {
        Response.Redirect("/account/stats");
    }

    return View();
}
Femaref  2010-09-02 14:46:00
I thought about this too. But it means that I have to add #if DEBUG for every RequireHttps attribute.
Alex  2010-09-02 14:56:57
ah, I thought it was only one occasion. The other proposals are better then.
Femaref  2010-09-02 15:44:17
+5  A: 

The easiest thing would be to derive a new attribute from RequireHttps and override HandleNonHttpsRequest

public override void HandleNonHttpsRequest(AuthorizationContext filterContext)
        {
            if (!filterContext.HttpContext.Request.Url.Host.Contains("localhost"))
            {
                base.HandleNonHttpsRequest(filterContext);
            }
        }

HandleNonHttpsRequest is the method that throws the exception, here all we're doing is not calling it if the host is localhost (and as Jeff says in his comment you could extend this to test environments or in fact any other exceptions you want).

Chao  2010-09-02 14:49:53
This method could be modified to also not require HTTPS in test environments.
Jeff Siver  2010-09-02 14:52:18
Where should I place this code? UpdateOh never mind I got this.
Alex  2010-09-02 14:59:04
I used your code and MVC's source code to create a solution. Thanks!
Alex  2010-09-02 15:06:07
One of many reasons that I love MVC being open source :)
Chao  2010-09-02 15:07:09
+3  A: 

You can encapsulate this requirement in a derived attribute:

class RequireHttpsNonDebugAttribute : RequireHttpsAttribute {
    public override void HandleNonHttpsRequest(AuthorizationContext ctx) {
        #if (!DEBUG)
        base.HandleNonHttpsRequest(ctx);
        #endif
    }
}
joshperry  2010-09-02 14:51:55

related questions

IE6 security login (debugging via VirtualPC)
Asp.net Reinstalling a DLL into the GAC
Failed to load resources from resource file.
What does an IISReset do?
How do I secure a folder used to let users upload files?
VBScript/IIS - How do I automatically set ASP.NET version for a particular website
IIS 6/COM+ hangs
Web server farms with IIS ? Basic Infos
.NET 3.5 Service Pack 1 causes 404 pages on ASP.NET Web App
What Url rewriter do you use for ASP.Net?
Publishing to IIS - Best Practices
ASP.NET Proxy Application
PHP on IIS
How do I stop IIS7 dropping my cookies?
HTTPS in IIS 5.1
Best tool for performance testing ASP.NET
Alternative Hostname for an IIS web site for internal access only
SQL Server 2008 FileStream on a Web Server
Solutions for working with multiple branches in ASP.Net
Dual vs. Quadcore on a Webserver
PHP Error - Uploading a file
Visual Studio 2008 debugger already attached work-around
Linux shell equivalent on IIS
Bandwith throttling in IIS 6 by IP Address
Checklist for IIS 6/ASP.NET Windows Authentication?