views:

1642

answers:

6

Like the question says, if I have a request for a page on my site like this

http://somename.something.here/Dada.aspx

to something like this

https://somename.something.here/Dada.aspx

A: 

Send a Redirect Header (302) to the browser.

Example:

Response.Redirect("WebForm2.aspx")

Article on the difference between Server.Transfer and Response.Redirect

Bork Blatt
You need to do a bit more than that. You have to use a custom error for 403.4.
BobbyShaftoe
As well, if you just do that, you will lose the Query string and so forth.
BobbyShaftoe
The answer was meant to point the questioner in the right direction, not be a one-stop copy, paste, and compile solution.
Bork Blatt
+1  A: 

You tagged ASP.NET so I assume you use IIS. Create a file in your Web Root of your web site, call it SSL_Redirect.htm or something like that. Put this Javascript in there:

<Script language="JavaScript"> 
<!-- begin hide 

function goElseWhere() 
{ 

var oldURL = window.location.hostname + window.location.pathname; 


var newURL = "https://" + oldURL; 

query = '' + window.location; 
position = query.indexOf('?'); 
if (position > -1) 
{ 
query = query.substring(position + 1); 
newURL = newURL + "?" + query; 
} 


window.location = newURL; 

} 
goElseWhere(); 

// end hide --> 
</script>

Now, go to the properties of your Web Site. Go to the Customer Errors Tab, look for the 403.4 error, edit it. Change it to use a URL of /SSL_Redirect.htm (or whatever you named it). Now, in the IIS Admin, find that file, SSL_Redirect.htm, right click, go to properties. Go to File Security and uncheck Require SSL for that particular file.

You're done.

BobbyShaftoe
+1  A: 

I think it is as simple as witing

Response.Redirect("https://somename.something.here/Dada.aspx");
Igor Zelaya
+9  A: 

I prefer to (a) not redirect local connections (to ease development under VS), and (b) use a UriBuilder instead of a string.Replace as it's a bit more exact.

if (!Request.IsLocal && !Request.IsSecureConnection) {
    var ub = new UriBuilder(Request.Url);
    ub.Scheme = Uri.UriSchemeHttps;
    ub.Port = -1; // use default port for scheme
    Response.Redirect(ub.Uri.ToString(), true);
    return;
}
Mark Brackett
Thanks create a base page with that in it and changed the inheritence throughout the project, Thanks man
CheGueVerra
One problem with this is that you are only going to be securing ASP.NET pages.
BobbyShaftoe
For now, it's the only problem I have to deal with, but thanks for the notification on that.
CheGueVerra
How did you handle flipping visitors back to http for pages that didn't require https?
Dscoduc
Great answer! Nice and simple to cut and paste in.
Peter
A: 

I remember dealing with the same issues a while back. I wanted to make sure certain pages were over https, while the rest were using http. I also wanted to be sure that once the visitor left the secure page for pages that didn't need to be secure they would flip back to http. To accomplish this I explored two options:

The first option was that I could use the free .NET URLRewriter project to rewrite specific pages outlined in the configuration file:

# HTTP REQUIRED PAGES
RewriteCond %{HTTPS} =on
RewriteCond %{REQUEST_URI} !(/login\.aspx|/securepage\.aspx).*$ [NC]
RewriteCond %{HTTP_HOST} (.+)
RewriteRule ^(.*)$ http://%3$1 [R=301,L]

# HTTPS REQUIRED PAGES
RewriteCond %{HTTPS} =off
RewriteCond %{REQUEST_URI} (/login\.aspx|/securepage\.aspx).*$ [NC]
RewriteCond %{HTTP_HOST} (.+)
RewriteRule ^(.*)$ https://%3$1 [R=301,L]

Using this configuration I can ensure only the two pages are secure, while the rest will be insecure. I had fine results with this option.

The second option came after I located a complete solution dedicated to handling this very problem. The company is SanibelLogic and they have a product called SSLRedirect. This HTTPModule based solution does exactly what I needed. It does cost a little money but if you want something simple to implement and manage this might fit the bill. They even offer the source code if you want to edit anything about it...

I used both options for many months but ended up using the SSLRedirect product for its simplicity.

I hope this helps...

Dscoduc
A: 

I just had the same problem but I found different solutions using purely IIS configuration.

There are two ways:

(1) The simple way is to just rename your MyWebApp to MyWebAppSSL for example. Enable SSL for the latter. Then create a new empty folder in your IIS called like the old MyWebApp. Click the Properties for MyWebApp, and under "Directory" choose "A redirection to a URL" and put http://MyServer/MyWebAppSSL there. It is recommended to enable "A permanent redirection" for it. You don't need to click the "Create web application" button for MyWebApp by the way as it is not a web application but merely does redirect.

(2) The simple way has of course the disadvantage that from now on your application will run under a new name (with the -SSL ending in this example). If we need to keep it running under the same old name, it will also be possible by merely configuring IIS but we have to proceed a little bit differently. We will have to set up a new web space on our IIS running on a different port. I found this good description: How to Auto-Redirect to a SSL-secured Site in IIS.

herzmeister der welten