In MVC3, is there a downside to having every action run under https? [closed]

Question

I have a site which has to be secure - is there a downside to having the [RequireHttps] attribute on the home controller?

Answer 1

To answer your Specific question, there are only three downsides I can think of if you require Https on your HomeController.

1. There is an insignificant increase in server CPU per request. (If this application is served to millions/billions of users this may not be insignificant over a specific time)

2. There is an insignificant increase in network activity per request. (this also applies to number of requests over a specific time)

3. If your certificate ever expires, users will get a negative experience of your Home pages.

Answer 2

Descriptiom

Off course, if your certificate expires your user get warnings.

But if you want to add the Https Attribute to your whole site there are 2 ways you can do that.

1. Redirect in the Application_BeginRequest method.
2. Using Conditional Filters. You can add the [Https] attibute to every Action method, to a specific Controller or any other condition

Samples

1. Redirect in the Application_BeginRequest method.

   protected void Application_BeginRequest(Object sender, EventArgs e)
   {
       if ( !Request.IsSecureConnection)
       {
            string path = string.Format("https{0}", Request.Url.AbsoluteUri.Substring(4));
            Response.Redirect(path);
       }
    }
   

2. Using Conditional Filters

   • Add this class to your project

     public class ConditionalFilterProvider : IFilterProvider
     {
         private readonly
             IEnumerable<Func<ControllerContext, ActionDescriptor, object>> _conditions;
     
         public ConditionalFilterProvider(
             IEnumerable<Func<ControllerContext, ActionDescriptor, object>> conditions)
         {
     
             _conditions = conditions;
         }
     
         public IEnumerable<Filter> GetFilters(
             ControllerContext controllerContext,
             ActionDescriptor actionDescriptor)
         {
             return from condition in _conditions
                     select condition(controllerContext, actionDescriptor) into filter
                     where filter != null
                     select new Filter(filter, FilterScope.Global, null);
         }
     }
     

   • Change your global.asax RegisterGlobalFilters method to add the [Https] attribute to every ActionMethod

     public static void RegisterGlobalFilters(GlobalFilterCollection filters)
     {
         IEnumerable<Func<ControllerContext, ActionDescriptor, object>> conditions =
             new Func<ControllerContext, ActionDescriptor, object>[] { 
             (c, a) => new RequireHttpsAttribute()
         };
     
         var provider = new ConditionalFilterProvider(conditions);
         FilterProviders.Providers.Add(provider);
     
         filters.Add(new HandleErrorAttribute());
     }
     

More Information

• Phil Haack - Conditional Filters in ASP.NET MVC 3