SSL pages under ASP.NET MVC

前端 未结 12 1019
情话喂你
情话喂你 2020-11-28 01:49

How do I go about using HTTPS for some of the pages in my ASP.NET MVC based site?

Steve Sanderson has a pretty good tutorial on how to do this in a DRY way on Previe

相关标签:
12条回答
  • 2020-11-28 02:28

    Here's a recent post from Dan Wahlin on this:

    http://weblogs.asp.net/dwahlin/archive/2009/08/25/requiring-ssl-for-asp-net-mvc-controllers.aspx

    He uses an ActionFilter Attribute.

    0 讨论(0)
  • 2020-11-28 02:29

    MVCFutures has a 'RequireSSL' attribute.

    (thanks Adam for pointing that out in your updated blogpost)

    Just apply it to your action method, with 'Redirect=true' if you want an http:// request to automatically become https:// :

        [RequireSsl(Redirect = true)]
    

    See also: ASP.NET MVC RequireHttps in Production Only

    0 讨论(0)
  • 2020-11-28 02:30

    If you are using ASP.NET MVC 2 Preview 2 or higher, you can now simply use:

    [RequireHttps]
    public ActionResult Login()
    {
       return View();
    }
    

    Though, the order parameter is worth noting, as mentioned here.

    0 讨论(0)
  • 2020-11-28 02:33

    MVC 6 (ASP.NET Core 1.0) is working slightly different with Startup.cs.

    To use RequireHttpsAttribute (as mentioned in answer by Amadiere) on all pages, you could add this in Startup.cs instead of using attribute style on each controller (or instead of creating a BaseController for all your controllers to inherit from).

    Startup.cs - register filter:

    public void ConfigureServices(IServiceCollection services)
    {
        // TODO: Register other services
    
        services.AddMvc(options =>
        {
            options.Filters.Add(typeof(RequireHttpsAttribute));
        });
    }
    

    For more info about design decisions for above approach, see my answer on similar question about how to exclude localhost requests from being handled by the RequireHttpsAttribute.

    0 讨论(0)
  • 2020-11-28 02:34

    For those who are not a fan of attribute-oriented development approaches, here is a piece of code that could help:

    public static readonly string[] SecurePages = new[] { "login", "join" };
    protected void Application_AuthorizeRequest(object sender, EventArgs e)
    {
        var pageName = RequestHelper.GetPageNameOrDefault();
        if (!HttpContext.Current.Request.IsSecureConnection
            && (HttpContext.Current.Request.IsAuthenticated || SecurePages.Contains(pageName)))
        {
            Response.Redirect("https://" + Request.ServerVariables["HTTP_HOST"] + HttpContext.Current.Request.RawUrl);
        }
        if (HttpContext.Current.Request.IsSecureConnection
            && !HttpContext.Current.Request.IsAuthenticated
            && !SecurePages.Contains(pageName))
        {
            Response.Redirect("http://" + Request.ServerVariables["HTTP_HOST"] + HttpContext.Current.Request.RawUrl);
        }
    }
    

    There are several reasons to avoid attributes and one of them is if you want to look at the list of all secured pages you will have to jump over all controllers in solution.

    0 讨论(0)
  • 2020-11-28 02:35

    Some ActionLink extensions: http://www.squaredroot.com/post/2008/06/11/MVC-and-SSL.aspx Or an controller action attribute that redirects to https:// http://forums.asp.net/p/1260198/2358380.aspx#2358380

    0 讨论(0)
提交回复
热议问题