IHTTPModule to switch between HTTP and HTTPS in ASP.NET

Question

I'm working on a web site which contains sections that need to be secured by SSL.

I have the site configured so that it runs fine when it's always in SSL, I see the SSL padlock in IE7/IE8/FireFox/Safari/Chrome

To implement the SSL switching, I created a class that implemented IHTTPModule and wired up HTTPApplication.PreRequestHandlerExecute.

I go through some custom logic to determine whether or not my request should use SSL, and then I redirect. I have to deal with two scenarios:

• Currently in SSL and request doesn't require SSL
• Currently not in SSL but request requires SSL

I end up doing the followng (where ctx is HttpContext.Current and pathAndQuery is ctx.Request.Url.PathAndQuery)

// SSL required and current connection is not SSL
if (requestRequiresSSL & !ctx.Request.IsSecureConnection)
   ctx.Response.Redirect("https://www.myurl.com" + pathAndQuery);
// SSL not required but current connection is SSL
if (!requestRequiresSSL & ctx.Request.IsSecureConnection)
   ctx.Response.Redirect("http://www.myurl.com" + pathAndQuery);

The switching back and forth now works fine. However, when I go into SSL mode, FireFox and IE8 warns me that my request isn't entirely encrypted.

It looks like my module is short circuiting my request somehow, would appreciate any thoughts.

Answer 1

I would suspect, that when you determine which resources require encryption, and which not, you do not include the images, or some header and footers as well, or even CSS files, if you use any.

As you always throw away SSL for such a content, it may happen that part of the page (main html) requires SSL, but the consequential request for an image on this page does not.

The browser is warning you, that some parts of the page were not delivered using SSL.

I will check if the request is for HTML, and only then drop the SSL if needed. Otherwise, keep it the way it is (most probably images and such are referenced with relative paths, than a full blown url).

I.e., if you have:

<html>
<body>
   Some content...
   <img src="images/someimage.jpg">
</body>
</html>

and you request this page using SSL, but your evaluation of requestRequiresSSL does not take into account the images as secured resources, it will form a http, not https request, and you will see the warning.

Make sure when you request a resource and evaluate requestRequiresSSL, to check the referrer and if this is an image:

// SSL not required but current connection is SSL
if (!requestRequiresSSL && ctx.Request.IsSecureConnection && !isHtmlContent)
   ctx.Response.Redirect("http://www.myurl.com" + pathAndQuery);

Just figure out how to determine isHtmlContent (if you do not serve images from a database, etc., but from a disk location), just check the the resource filename (.aspx, .asmx, .ashx, .html, etc.).

That way, if the connection is encrypted, but the resource itself is not html, and no set for "encryption", you are not going to drop the encryption.

Answer 2

Any content that is not normally handled by .Net (such as regular html and most graphic files) will not execute the httpmodule because it doesn't go through .net

Your best bet is to just handle this at the IIS level. See the following for info on how to configure your server.

http://www.jameskovacs.com/blog/HowToAutoRedirectToASSLsecuredSiteInIIS.aspx

Answer 3

I highly recommend using this (free / open source) component to do what you're trying:

http://www.codeproject.com/KB/web-security/WebPageSecurity_v2.aspx

Answer 4

I highly recommend you this product:

http://www.e2xpert.com/web/Http-Https-Switch.aspx

It is professional and easy to use. It comes with a powerful configuration tool, by which just one click can finish the entire configuration for you.

Answer 5

Just use SSL throughout your site, for all pages and for all images/scripts/stylesheets. That just makes everything oh-so-simple. IE and Firefox will no longer complain, you will no longer have crazy modules trying to guess whether any given request should be redirected, etc.