Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Can't turn off requirehttps in asp.net 5 MVC 6 site

Tags:

asp.net-core

I have an asp.net 5 MVC 6 site I am working on. I turned on require HTTPS like so:

services.AddMvc(options =>
{
    options.Filters.Add(new RequireHttpsAttribute());
});

It worked great, and I have been working like this for a little while. Today I need to turn it off, so I commented out the options filter, but it is still requiring HTTPS.

I have not used the [RequireHttps] attribute on the controllers or actions themselves.

I have gone into the properties and unchecked "Enable SSL" and pasted the http url in the "Launch URL" box.

I have shutdown IIS Express and relaunched the site. It doesn't seem to matter what I do, it continues to try to redirect to HTTPS.

Is it possible IIS Express or Kestral has cached something I need to delete? Anyone have any suggestions of what else could be forcing it to HTTPS?

like image 879
Matthew Avatar asked Jan 06 '23 23:01

Matthew


1 Answers

The RequireHttpsAttribute implementation will send a permanent redirect response (301) back to browser:

// redirect to HTTPS version of page
filterContext.Result = new RedirectResult(newUrl, permanent: true);

This means that when you initially had the attribute enabled and requested a url like http://localhost:62058/, the server will respond with:

301 (Moved permanently)
Location: https://localhost:62058/

If you look at the definition of the 301 response code you will see that browsers will cache it by default:

The requested resource has been assigned a new permanent URI and any future references to this resource SHOULD use one of the returned URIs. Clients with link editing capabilities ought to automatically re-link references to the Request-URI to one or more of the new references returned by the server, where possible. This response is cacheable unless indicated otherwise.

The new permanent URI SHOULD be given by the Location field in the response. Unless the request method was HEAD, the entity of the response SHOULD contain a short hypertext note with a hyperlink to the new URI(s).

After you remove the RequireHttps filter, the browser will still use the cached response:

Getting cached redirect to https response

So all you need to do after removing the RequireHttps filter is rebuild and clear the browser cache!

like image 92
Daniel J.G. Avatar answered Jan 31 '23 17:01

Daniel J.G.