ASP.NET MVC [RequireHttps] - return to http

Question

Once you place [RequireHttps] on an action and user switches from HTTP to HTTPS, all subsequent links will stay HTTPS...

Is there a way to switch back to HTTP ?

Answer 1

Technically, you could do it

You could look at the source of RequireHttpsAttribute and reverse it.

In practice, you probably shouldn't

If the session is still alive, it is generally inadvisable to return to HTTP. This can be the foundation for a variety of attacks, for example, session hijacking.

Answer 2

there is a pretty detailed description of how to handle switching from HTTPS back to HTTP for specific action methods at this link

http://blog.clicktricity.com/2010/03/switching-to-https-and-back-to-http-in-asp-net-mvc/

Answer 3

Here's the 'ExitHttpsIfNotRequired' attribute I use:

[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method)]
public class RetainHttpsAttribute : Attribute
{
}

public class ExitHttpsIfNotRequiredAttribute : FilterAttribute, IAuthorizationFilter
{
    public void OnAuthorization(AuthorizationContext filterContext)
    {
        // Abort if it's not a secure connection  
        if (!filterContext.HttpContext.Request.IsSecureConnection) return;

        if (filterContext.ActionDescriptor.ControllerDescriptor.ControllerName == "sdsd") return;

        // Abort if it's a child controller
        if (filterContext.IsChildAction) return;

        // Abort if a [RequireHttps] attribute is applied to controller or action  
        if (filterContext.ActionDescriptor.ControllerDescriptor.GetCustomAttributes(typeof(RequireHttpsAttribute), true).Length > 0) return;
        if (filterContext.ActionDescriptor.GetCustomAttributes(typeof(RequireHttpsAttribute), true).Length > 0) return;

        // Abort if a [RetainHttps] attribute is applied to controller or action  
        if (filterContext.ActionDescriptor.ControllerDescriptor.GetCustomAttributes(typeof(RetainHttpsAttribute), true).Length > 0) return;
        if (filterContext.ActionDescriptor.GetCustomAttributes(typeof(RetainHttpsAttribute), true).Length > 0) return;

        // Abort if it's not a GET request - we don't want to be redirecting on a form post  
        if (!String.Equals(filterContext.HttpContext.Request.HttpMethod, "GET", StringComparison.OrdinalIgnoreCase)) return;

        // Abort if the error controller is being called - we may wish to display the error within a https page
        if (filterContext.ActionDescriptor.ControllerDescriptor.ControllerName == "Error") return;

        // No problems - redirect to HTTP
        string url = "http://" + filterContext.HttpContext.Request.Url.Host + filterContext.HttpContext.Request.RawUrl;
        filterContext.Result = new RedirectResult(url);
    }
}