Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Mixed http/https site

So far, my https deployments have commonly involved a naive lockdown of the entire site with https and provide an http-to-https redirect on the web server.

I now plan to have a single ASP.NET MVC site (on the cloud) that will contain both http and https pages. So, the site will have 2 conceptual (not physical) zones providing for both secure and non-secure requests.

Configuration-wise, I have set up input ports for both 80 and 443 and the site accepts both requests.

Is there any way I can flip protocol to https for any call that goes to an action that belongs in the secure zone? For instance, the kind of things that action filters can do.

Thanks much.

edit: Please note that the whole idea of this is to avoid using absolute urls on the form action attribute because of portability issues and because the user will not see the https:// assurance visual cues on the browser.

P

like image 920
Pita.O Avatar asked Apr 17 '09 18:04

Pita.O


1 Answers

You might want to take a look at the MVC futures assembly from Microsoft available for download here.

This has a FilterAttribute, RequireSslFilterAttribute that allows you to easily tag Action methods in your controller that require SSL - e.g.

[RequireSsl(Redirect=true)]
public ActionResult LogOn()
{
  return View();
}

The optional redirect parameter will cause the request to be redirected to the same URL but via https instead of http if required.

WARNING: As Daniel points out though, by the time you hit this Action it may already be too late if data was posted to a non secure version of the page - it is already potentially compromised, so you still need to exercise care when using this and make sure all sensitive data is sent via https. (I just noticed your comment to Daniel, you obviously understand this, I'll leave the warning here for anyone else who stumbles upon this though!)

EDIT: As Luke points out, in MVC2 this attribute is now part of the core framework and is renamed to [RequireHttps]

like image 86
Steve Willcock Avatar answered Nov 07 '22 20:11

Steve Willcock