How do I do the OPPOSITE of [RequireHttps(Redirect=true)] in ASP.NET MVC

Question

I know the easy way to get to an SSL page in ASP.NET MVC - via the [RequireSSL] attribute but I\'m a little confused to the best way to do the opposite.

I have many

Answer 1

This is well worth reading (epecially to realize the security implications of switching carelessly back to http from https :

Partially SSL Secured Web Apps With ASP.NET - not MVC specific but relevant security concerns

Partial SSL Website with ASP.NET MVC - MVC friendly

It's quite a complicated issue overall. Still haven't found a true solution to everything I want to do, but thought these articles may help others.

Answer 2

Answer from a dupe question elsewhere:

How to step out from https to http mode in asp.net mvc.

CAUTION: If choosing to use this approach your auth cookie will be sent over plain text after switching back to HTTP, and can potentially be stolen and used by someone else. See this. In other words - if you were using this for a bank site you would need to make sure that switching to http would first log the user out.

public class DoesNotRequireSSL: ActionFilterAttribute 
    {
        public override void OnActionExecuting(ActionExecutingContext filterContext) 
        {
                var request = filterContext.HttpContext.Request;
                var response = filterContext.HttpContext.Response;

                if (request.IsSecureConnection && !request.IsLocal) 
                {
                string redirectUrl = request.Url.ToString().Replace("https:", "http:");
                response.Redirect(redirectUrl);
                }
                base.OnActionExecuting(filterContext);
        }
    }

Answer 3

You're not missing anything; there is no out-of-the-box functionality for this. You can easily create your own by taking the RequireSslAttribute source and modifying it.