MVC3 after [RequireHttps] how to ensure non https is used

Question

I found This Post and it looks like what I was needing for an application, my question is how do you revert back to plain http when https is no longer needed? Will it inherently do this based on an action not having the [RequireHttps] annotation?

EDIT: I found a couple posts talking about moving from https to http (here & here). However, I'd still appreciate an answer to the question below.

Alternately, I had debated on having the application open in a new window. Is it a fair assumption that the https will only apply to the new window?

once a user has navigated through requirehttps, if they return to a controller without requirehttps they will still be under the https. — Travis J, Jan 24 '12 at 19:31
why go back to plain http? Theres a huge security risk there, first off forms auth tokens are transmitted cleartext and session ids can easily be sniffed. Use RequireSsl on your forms auth (if you are using it) but in turn note anywhere that is non-ssl will fail. Run your whole site ssl + understand how easy it is to steal a session from a single logged http packet. — Adam Tuliper, Jan 24 '12 at 20:59
@AdamTuliper I currently don't have/need any authentication. I'm using this for an employment application. Once this is submitted it's pointless to encrypt their browsing any longer. I don't store anything in the session. Our web server is getting up there in age so anything that I can do to ease the load is needed hence if I no longer NEED ssl then why bother? I doubt the encryption is going to bog down the machine, but I'd just assume not use it where it isn't needed since resource wise encryption isn't free. — Jared, Jan 24 '12 at 23:00
@Jared fair enough sounds like you are on the right track, just wanted to bring up a concern : ) — Adam Tuliper, Jan 25 '12 at 15:14

Chris Baxter · Accepted Answer · 2013-02-09T23:20:27.447

7

ASP.NET MVC's RequireHttps only goes one way. In the past I have just created my own FilterAttribute implementation to allow travel both ways:

EnsureHttpsAttribute

  public class EnsureHttpsAttribute : FilterAttribute, IAuthorizationFilter
  {
    public void OnAuthorization(AuthorizationContext filterContext)
    {
      Verify.NotNull(filterContext, "filterContext");
      Verify.True(filterContext.HttpContext.Request.HttpMethod.Equals("GET", StringComparison.OrdinalIgnoreCase), "filterContext");

      var request = filterContext.HttpContext.Request;
      if (request.Url != null && !request.IsSecureConnection && !request.IsLocal)
        filterContext.Result = new RedirectResult("https://" + request.Url.Host + request.RawUrl);
    }
  }

EnsureHttpAttribute

  public class EnsureHttpAttribute : FilterAttribute, IAuthorizationFilter
  {
    public void OnAuthorization(AuthorizationContext filterContext)
    {
      Verify.NotNull(filterContext, "filterContext");
      Verify.True(filterContext.HttpContext.Request.HttpMethod.Equals("GET", StringComparison.OrdinalIgnoreCase), "filterContext");

      var request = filterContext.HttpContext.Request;
      if (request.Url != null && request.IsSecureConnection)
        filterContext.Result = new RedirectResult("http://" + request.Url.Host + request.RawUrl);
    }
  }

Almost the same implementation as RequireHttpsAttribute if memory serves; although the above implementation checks if it is a Local request and ignores the switch to HTTPS.

edited Feb 09 '13 at 23:20

answered Jan 24 '12 at 19:34

Chris Baxter

16,083
9
51
72

any thoughts on the second part of my question? If I open the action in a new window am I correct in assuming that https will only be applied to the new window? – Jared Jan 24 '12 at 19:39
Assuming relative URLs in the popup window, everything in the new window will remain HTTPS unless you have an absolute URL to explicitly switch back to HTTP. The parent window will remain in http unless you explicitly navigate or redirect to HTTPS. – Chris Baxter Jan 24 '12 at 19:41
It's probably not a good idea to redirect POST requests as this might confuse the browser. cf official implementation of the attribute. – nakhli Feb 09 '13 at 23:10
@Chaker - Yes, checking for `Request.HttpMethod == "Get"` is probably a good idea. I will update the example. – Chris Baxter Feb 09 '13 at 23:15
What is Verify doing? is it just throwing an Exception if the check is false ? – bartburkhardt Apr 30 '14 at 13:10
@bartburkhardt Yes, basically a CodeContract helper class that I use in my projects. – Chris Baxter Apr 30 '14 at 16:02

score 2 · Answer 2 · answered Jan 24 '12 at 19:34

2

I suggest you read this post:

http://www.codehosting.net/blog/BlogEngine/post/More-fiddling-with-MVC3-and-https.aspx

answered Jan 24 '12 at 19:34

Travis J

81,153
41
202
273

Interesting article and good information. However, I'm not doing any authentication on my site at the moment. Once this happens I could see this being very useful so thanks for the link. – Jared Jan 24 '12 at 19:42
I believe from the other answers and posts on SO, that most people end up writing their own custom attribute to handle unique situations. – Travis J Jan 24 '12 at 19:50
So far that's what it's looked like. I think what I'll most likely do is have it auto redirect to a non https absolute url once I have them finish the form or open a new window in https and leave their previous browser window alone. – Jared Jan 24 '12 at 23:02

MVC3 after [RequireHttps] how to ensure non https is used

2 Answers2