tags:

views:

595

answers:

3
+4  Q: 

Mixed http/https site

Hi guys,

So far, my https deployments have commonly involved a naive lockdown of the entire site with https and provide an http-to-https redirect on the web server.

I now plan to have a single ASP.NET MVC site (on the cloud) that will contain both http and https pages. So, the site will have 2 conceptual (not physical) zones providing for both secure and non-secure requests.

Configuration-wise, I have set up input ports for both 80 and 443 and the site accepts both requests.

Is there any way I can flip protocol to https for any call that goes to an action that belongs in the secure zone? For instance, the kind of things that action filters can do.

Thanks much.

edit: Please note that the whole idea of this is to avoid using absolute urls on the form action attribute because of portability issues and because the user will not see the https:// assurance visual cues on the browser.

P

A: 

Is there any way I can flip protocol to https for any call that goes to an action that belongs in the secure zone?

The short answer is no, once the request has come via http, it has already been potentially compromised. You can require that certain calls come via the HTTPS (not sure how to do that as I have not done ASP.Net for awhile) and send an error if they do not. The key is to decide when you want the application to make the jump, ie during login and choose the HTTPS as the action for those forms. Is that what you meant by 'action filters'?

Daniel  2009-04-17 19:15:16
Sorry Daniel, not if you flip the request at the GET request that returns the form. The get request needs not be secure. It's the post that does. You can require that certain calls come via HTTPS by using absolute URL which is what I intend to avoid. Thanks, though for trying to help me out.
Pita.O  2009-04-17 20:04:07
+5  A: 

You might want to take a look at the MVC futures assembly from Microsoft available for download here.

This has a FilterAttribute, RequireSslFilterAttribute that allows you to easily tag Action methods in your controller that require SSL - e.g.

[RequireSsl(Redirect=true)]
public ActionResult LogOn()
{
  return View();
}

The optional redirect parameter will cause the request to be redirected to the same URL but via https instead of http if required.

WARNING: As Daniel points out though, by the time you hit this Action it may already be too late if data was posted to a non secure version of the page - it is already potentially compromised, so you still need to exercise care when using this and make sure all sensitive data is sent via https. (I just noticed your comment to Daniel, you obviously understand this, I'll leave the warning here for anyone else who stumbles upon this though!)

EDIT: As Luke points out, in MVC2 this attribute is now part of the core framework and is renamed to [RequireHttps]

Steve Willcock  2009-04-17 20:03:17
Many thanks, Steve. Awesome.
Pita.O  2009-04-18 04:49:20
Apologies if this is wrong - learning also - in MVC 2 it looks like this attribute has become RequireHttps. More here: http://stackoverflow.com/questions/1639707/asp-net-mvc-requirehttps-in-production-only
Luke Puplett  2010-05-17 20:39:49
Well spotted, thanks Luke :)
Steve Willcock  2010-05-26 11:33:41
A: 

http://blogs.msdn.com/ie/archive/2005/04/20/410240.aspx

 2009-04-25 19:21:50

related questions

Hosting, deploying and running web applications in the cloud
What is a good pricing model for Windows Azure?
Can I set the expires header on all objects in an Amazon S3 bucket all at once?
Book recommendation for running ASP.NET/SQL Server on AWS
What is a "Cloud OS"?
What is the easiest way to parallelize my C# program across multiple PCs
Can someone explain the concept of an "instance-hour" as used by cloud computing providers?
How does SQL Server Licensing work on Amazon's EC2?
Windows Azure for web developers vs Amazon EC2
How best to resize images off-server
How to set up a computing cloud and how it works?
Fluffy Cloud Configurations For .NET
Deploying to Amazon EC2
Any good distributed agent/service models for .NET?
Experiences and tips for programming with and for Amazon's cloud servers/apps/tools?
Amazon - EC2 cost?
What alternatives are there to Google App Engine?
What is Cloud computing?
Query points epsilon-close to a cut plane in point cloud using the GPU.
Are off-the-cloud desktop applications dead?
How does dedicated webhosting compare to Amazon's Cloud?
Do you use Amazons Cloud services for your company?
Amazon Web Services
I'm looking for a Windows hosting provider that supports custom os images (like AMZN EC2)
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)