I am working on a project that has one page that needs to make use of the SSL certificate. All of the links in the site to this page make use of https instead of http, but in th
Generally, there are specific parts of the site that you either want to always be HTTPS, or HTTP.
I use the following action attribute to convert the traffic either to one or another:
public class ForceConnectionSchemeAttribute : ActionFilterAttribute
{
private string scheme;
public ForceConnectionSchemeAttribute(string scheme)
{
this.scheme = scheme.ToLower();
}
public override void OnActionExecuting(ActionExecutingContext filterContext)
{
Uri url = filterContext.HttpContext.Request.Url;
if (url.Scheme != scheme)
{
string secureUrl = String.Format("{0}://{1}{2}", scheme, url.Host, url.PathAndQuery);
filterContext.Result = new RedirectResult(secureUrl);
}
}
}
// Suppose I always want users to use HTTPS to access their personal info:
[ForceConnectionScheme("https")]
public class UserController: Controller
{
// blah
}
I'd use URL rewriting to do that. Why? because it's simple to implement, requires no modifications to the application, and is easy to maintain.
On IIS7 you can accomplish that using URL rewrite module, for example:
<!-- http:// to https:// rule -->
<rule name="ForceHttpsBilling" stopProcessing="true">
<match url="(.*)billing/(.*)" ignoreCase="true" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="false" />
</conditions>
<action type="Redirect" redirectType="Found" url="https://{HTTP_HOST}{REQUEST_URI}" />
</rule>
On IIS6 you'll have to use a 3rd party library. I use IIRF (http://www.codeplex.com/IIRF) it's free, stable, and has a good amount of features.
I would call the Response.Redirect in page_load. It is simpler than generating the javascript, and will send fewer bytes to the client.
Code example
Actually the best practice would be to do this in one of three places, assuming hardware or IIS settings are not an option. Just code options.
All of those would be good options. One and two are guaranteed to be hit by every request processed by ASP.NET. The third one requires that you make sure all of your pages inherit from the base page.
I would not put the code in each page, that's just bad programming.
Let me know if you need more clarification, but this is a good start.