Prevent Http requests in Website basis on Config Value

Question

I have implemented ASP.Net application deployed in IIS with http and https port enabled. Now i have an requirement to reject the HTTP requests basis on Web.Config value. If this value set to True then it should not accept requests which are coming with HTTP like it should throw an error Invalid Operation.. Try requesting with Secure connection. The first thing i did is to check this in Global.asax file as Below:

  if (Utilities.Utility.HttpsCheck)
    {
        if (!Request.IsSecureConnection)
        {
            Response.Write("Invalid Operation");
        }
    }

In this method i got an exception request is not available in this context. I googled it about this error and got to know that it can't be possible to access Request in Global file in ASP.NET.

Next method I tried is to add this above code in every page of my project and checking this before going to process request. But by doing this way i can not have control of preventing request to HTML pages, i have some html pages also in my project these files also i need to restrict.

If I include code in Page wise then it is applying for that page only.. But i have some image/video files also in website these also needs to restrict.

Is there any better way out to do this? Please help me in this regard.

Thanks in Advance.

Answer 1

You can configure IIS to only accept https. Http requests will automatically be redirected. Here is an example of how to configure IIS. http://support.microsoft.com/kb/324069

Hope this helps

Answer 2

A very simple way is to subclass the Page class and apply your conditionals in the subclassed page. You could have one subclass for restricted, one for not. The restricted page could access the value of a web config parameter and redirect as necessary.

public class HttpsPage : Page {


protected override void OnLoad(..)
{
 if (Utilities.Utility.HttpsCheck)
    {
        if (!Request.IsSecureConnection)
        {
            Response.Redirect(your-url);
        }
    }
}
}

That's rough as tho. It's a code based answer to your question but there would be 20 better ways depending on what your "exact" requirements might be.

To be perfectly frank if you're not sure about what you're doing then Id think very carefully about putting anything you feel requires a secure socket onto the web.... especially if that thing you're putting is not yours.

Answer 3

I have implemented the HTTP Module to restrict the HTTP access for my website basis on my config value. By using this I can be able to restrict the HTPP access to Image files and html pages also. Here is my Module Code:

public void Init(HttpApplication context)
        {
            context.BeginRequest += new EventHandler(context_BeginRequest);
        }

        public void context_BeginRequest(Object source, EventArgs e)
        {
            //Code to reject the HTTP requests on basis of Config Value
            HttpApplication application = (HttpApplication)source;
            HttpContext context = application.Context;

            if (context != null)
            {
                if (Utilities.Utility.HttpsCheck)
                {
                    if (!context.Request.IsSecureConnection)
                    {
                        context.Response.StatusCode = (int)System.Net.HttpStatusCode.BadRequest;
                        context.Response.StatusDescription = "Secure connetion required";
                        context.Response.End();
                    }
                }
            }
        }