tags:

views:

444

answers:

4
+2  Q: 

Enforcing SSL connection

Hello,


A) Can you, at the server side, enforce SSL connection ( via selecting Require Secure Channel option ) only per web application, or can you also enforce it per virtual directory or even only per web page?


B) How exactly does enforcing SSL connection work? That if users specify http instead of https protocol ( in requested URL ), the request will automatically get rejected by IIS?


thanx

+1  A: 

Yes and yes.

Chris  2009-05-02 20:42:01
+1  A: 

There may be a configuration setting to enforce this at the IIS level, but in code, you could check the Request.IsSecureConnection value like so:

if (!Request.IsSecureConnection)
{
    try
    {
        Response.redirect("https://....", true);
    }
    catch (ThreadAbortException)
    {}
}

Where "...." is the url for the current page. A good place for this type of code is in the Page_Load method of your MasterLayout.master file.

Jordan S. Jones  2009-05-02 20:52:48
Any idea how to enforce SSL ( per web page ) at the IIS level?
SourceC  2009-05-02 23:39:14
+3  A: 

As stated above, 1) SSL can be set at the server, side, or virtual directory.

2) If the server/site/vdir is configured using the "Require Secure Channel" setting, the response from the server will be a "403.4 Forbidden: SSL is required to view this resource." error or a "403.5 Forbidden: SSL 128 is required to view this resource.".

You can actually customize the 403.4 or 403.5 error to redirect back to HTTPS. Create a VDIR under your site with NO SSL Requirement (**This is Important) - I use "CustomError". Create an ASP File inside this directory called 403_4_Error.asp containing the following:

<%@ LANGUAGE="VBScript" %> 
<%
if Request.ServerVariables("HTTPS") <> "on" then
    sServer = Request.ServerVariables("SERVER_NAME")
    sScript = Request.ServerVariables("SCRIPT_NAME")
    sQuery  = Request.ServerVariables("QUERY_STRING")
    Response.Write("https://" & sServer & sScript & "?" & sQuery)
end if
%>

Edit the server/site/vdir's Custom Error property for 403.4/403.5 and set the MessageType to URL and the URL to "/CustomError/403_4_Error.asp".

Note that ASP is used, you could easily use ASP.net or any other scripting language.

Christopher_G_Lewis  2009-05-06 17:37:29
this is very useful thanx
SourceC  2009-05-06 19:56:22
+1  A: 

A neat way to do it is to register a HttpModule that examines each incoming request and redirects if necessary: no need for Custom Errors then.

Here's a blog post showing how it's done.

Samuel Jack  2009-07-14 14:38:21

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps