How do I go about using HTTPS for some of the pages in my ASP.NET MVC based site?
Steve Sanderson has a pretty good tutorial on how to do this in a DRY way on Previe
Here's a recent post from Dan Wahlin on this:
http://weblogs.asp.net/dwahlin/archive/2009/08/25/requiring-ssl-for-asp-net-mvc-controllers.aspx
He uses an ActionFilter Attribute.
MVCFutures has a 'RequireSSL' attribute.
(thanks Adam for pointing that out in your updated blogpost)
Just apply it to your action method, with 'Redirect=true' if you want an http:// request to automatically become https:// :
[RequireSsl(Redirect = true)]
See also: ASP.NET MVC RequireHttps in Production Only
If you are using ASP.NET MVC 2 Preview 2 or higher, you can now simply use:
[RequireHttps]
public ActionResult Login()
{
return View();
}
Though, the order parameter is worth noting, as mentioned here.
MVC 6 (ASP.NET Core 1.0) is working slightly different with Startup.cs.
To use RequireHttpsAttribute (as mentioned in answer by Amadiere) on all pages, you could add this in Startup.cs instead of using attribute style on each controller (or instead of creating a BaseController for all your controllers to inherit from).
Startup.cs - register filter:
public void ConfigureServices(IServiceCollection services)
{
// TODO: Register other services
services.AddMvc(options =>
{
options.Filters.Add(typeof(RequireHttpsAttribute));
});
}
For more info about design decisions for above approach, see my answer on similar question about how to exclude localhost requests from being handled by the RequireHttpsAttribute.
For those who are not a fan of attribute-oriented development approaches, here is a piece of code that could help:
public static readonly string[] SecurePages = new[] { "login", "join" };
protected void Application_AuthorizeRequest(object sender, EventArgs e)
{
var pageName = RequestHelper.GetPageNameOrDefault();
if (!HttpContext.Current.Request.IsSecureConnection
&& (HttpContext.Current.Request.IsAuthenticated || SecurePages.Contains(pageName)))
{
Response.Redirect("https://" + Request.ServerVariables["HTTP_HOST"] + HttpContext.Current.Request.RawUrl);
}
if (HttpContext.Current.Request.IsSecureConnection
&& !HttpContext.Current.Request.IsAuthenticated
&& !SecurePages.Contains(pageName))
{
Response.Redirect("http://" + Request.ServerVariables["HTTP_HOST"] + HttpContext.Current.Request.RawUrl);
}
}
There are several reasons to avoid attributes and one of them is if you want to look at the list of all secured pages you will have to jump over all controllers in solution.
Some ActionLink extensions: http://www.squaredroot.com/post/2008/06/11/MVC-and-SSL.aspx Or an controller action attribute that redirects to https:// http://forums.asp.net/p/1260198/2358380.aspx#2358380