ASP.NET: best practice for redirecting to https

后端 未结 4 1478
你的背包
你的背包 2021-02-02 03:21

I am working on a project that has one page that needs to make use of the SSL certificate. All of the links in the site to this page make use of https instead of http, but in th

相关标签:
4条回答
  • 2021-02-02 03:43

    Generally, there are specific parts of the site that you either want to always be HTTPS, or HTTP.

    I use the following action attribute to convert the traffic either to one or another:

    public class ForceConnectionSchemeAttribute : ActionFilterAttribute
    {
        private string scheme;
    
        public ForceConnectionSchemeAttribute(string scheme)
        {
            this.scheme = scheme.ToLower();
        }
    
        public override void OnActionExecuting(ActionExecutingContext filterContext)
        {
            Uri url = filterContext.HttpContext.Request.Url;
            if (url.Scheme != scheme)
            {
                string secureUrl = String.Format("{0}://{1}{2}", scheme, url.Host, url.PathAndQuery);
                filterContext.Result = new RedirectResult(secureUrl);
            }
        }
    }
    
    
    // Suppose I always want users to use HTTPS to access their personal info:
    [ForceConnectionScheme("https")]
    public class UserController: Controller
    {
        // blah
    }
    
    0 讨论(0)
  • 2021-02-02 03:54

    I'd use URL rewriting to do that. Why? because it's simple to implement, requires no modifications to the application, and is easy to maintain.

    On IIS7 you can accomplish that using URL rewrite module, for example:

    <!-- http:// to https:// rule -->
    <rule name="ForceHttpsBilling" stopProcessing="true">
      <match url="(.*)billing/(.*)" ignoreCase="true" />
      <conditions>
        <add input="{HTTPS}" pattern="off" ignoreCase="false" />
      </conditions>
      <action type="Redirect" redirectType="Found" url="https://{HTTP_HOST}{REQUEST_URI}" />
    </rule>
    

    On IIS6 you'll have to use a 3rd party library. I use IIRF (http://www.codeplex.com/IIRF) it's free, stable, and has a good amount of features.

    0 讨论(0)
  • 2021-02-02 04:00

    I would call the Response.Redirect in page_load. It is simpler than generating the javascript, and will send fewer bytes to the client.

    Code example

    0 讨论(0)
  • 2021-02-02 04:01

    Actually the best practice would be to do this in one of three places, assuming hardware or IIS settings are not an option. Just code options.

    1. In an HTTPModule. HttpModules are ran before any request is processed, so you could do the URL check and redirect there. This is what I would do.
    2. In Global.asax.
    3. In a custom base page, in the init function.

    All of those would be good options. One and two are guaranteed to be hit by every request processed by ASP.NET. The third one requires that you make sure all of your pages inherit from the base page.

    I would not put the code in each page, that's just bad programming.

    Let me know if you need more clarification, but this is a good start.

    0 讨论(0)
提交回复
热议问题