ASP.NET MVC - HTML.BeginForm and SSL

Question

I am encountering an issue with what should be a simple logon form in ASP.NET MVC 2. Essentially my form looks a little something like this:

using (Html.BeginForm("LogOn", "Account", new { area = "Buyers" }, FormMethod.Post, new { ID = "buyersLogOnForm" }))

I have a RequiresHTTPS filter on the LogOn Action method but when it executes I receive the following message

The requested resource can only be accessed via SSL

At this point the only solution that worked was to pass in an extra action htmlattribute as follows:

 var actionURL = "https://"  + Request.Url.Host + Request.Url.PathAndQuery;   
 using (Html.BeginForm("LogOn", "Account", new { area = "Buyers" }, FormMethod.Post, new { ID = "buyersLogOnForm", @action = actionURL }))

While this works I wonder a) why i am seeing this issue in the first place and b) if there is a more straightforward way of posting to https from a http page?

[Edit]

I should have stated that the logon dropdown will be available on many public pages. I do not want all of my pages to be HTTPS. For instance, my hope page - which ANYONE can see - should not be HTTPS based. Essentially I need to specify the protocol in my form but have no idea how to do that, or if it is possible.

I would appreciate any advice/suggestions. Thanks in advance

JP

Answer 1

You could use

<form action =" <%= Url.Action(
"action",
"controller",
ViewContext.RouteData.Values,
"https"
) %>" method="post" >

Answer 2

Use the [RequireHttps] attribute on both the action that renders the form and the one you are posting to.

Answer 3

Update: Review the comments below about the security vulnerabilities of this approach before considering the use of this code.

I found that a hybrid of JP and Malcolm's code examples worked.

using (Html.BeginForm("Login", "Account", FormMethod.Post, new { @action = Url.Action("Login","Account",ViewContext.RouteData.Values,"https") }))

Still felt a bit hacky though so I created a custom BeginForm helper. The custom helper is cleaner and does not require https when running locally.

public static MvcForm BeginFormHttps(this HtmlHelper htmlHelper, string actionName, string controllerName)
    {
        TagBuilder form = new TagBuilder("form");
        UrlHelper Url = new UrlHelper(htmlHelper.ViewContext.RequestContext);

        //convert to https when deployed
        string protocol = htmlHelper.ViewContext.HttpContext.Request.IsLocal == true? "http" : "https";

        string formAction = Url.Action(actionName,controllerName,htmlHelper.ViewContext.RouteData.Values,protocol);
        form.MergeAttribute("action", formAction);

        FormMethod method = FormMethod.Post;
        form.MergeAttribute("method", HtmlHelper.GetFormMethodString(method), true);

        htmlHelper.ViewContext.Writer.Write(form.ToString(TagRenderMode.StartTag));

        MvcForm mvcForm = new MvcForm(htmlHelper.ViewContext);

        return mvcForm;
    }

Example usage:

@using (Html.BeginFormHttps("Login", "Account"))