Ensure page is only accessed via SSL

S

- Steve -

If a user where to go to http://server/page.aspx I want to force them over
to https://server/page.aspx. So those that didn't catch the subtle hint
there, I want to move them over to the SSL page.

What's the best way to handle that? I know I can have IIS block access to a
page if it's not over HTTPS, but I just want to seamlessly move them to the
HTTPS space.

I was thinking I could Response.Redirect() on the page load, but that just
doesn't seem right.

--

Steve Evans
Email Services
SDSU Foundation
(619) 594-0708
 
S

- Steve -

I'll answer my own question

In Page_load

Response.Buffer = true;

if(Request.ServerVariables["HTTPS"].Equals("off"))

{

String redirect = "", queryString = "";

redirect = "https://" + Request.ServerVariables["SERVER_NAME"] +

Request.ServerVariables["SCRIPT_NAME"];

queryString = Request.ServerVariables["QUERY_STRING"];

if(!queryString.Equals(""))

redirect += "?" + queryString;

Response.Redirect(redirect);

}



To reverse that (go from https to http) just switch the first if statment to
on, and assign redirect to http instead of https


--

Steve Evans
Email Services
SDSU Foundation
(619) 594-0708
 
J

Joerg Jooss

- Steve - said:
I'll answer my own question

In Page_load

Response.Buffer = true;

if(Request.ServerVariables["HTTPS"].Equals("off"))

{

String redirect = "", queryString = "";

redirect = "https://" + Request.ServerVariables["SERVER_NAME"] +

Request.ServerVariables["SCRIPT_NAME"];

queryString = Request.ServerVariables["QUERY_STRING"];

if(!queryString.Equals(""))

redirect += "?" + queryString;

Response.Redirect(redirect);

}

Testing ServerVariables seems a little ASPish -- better to use properties:

if (Request.IsSecureConnection()) {
// ...
queryString = Request.QueryString;
}

Also, in a more real-world scenario, load balancers or application level
firewalls should enforce such access rules (though redundant security
features won't hurt ;->).
 
A

ashelley

I'll answer my own question

In Page_load

Response.Buffer = true;

if(Request.ServerVariables["HTTPS"].Equals("off"))

{

String redirect = "", queryString = "";

redirect = "https://" + Request.ServerVariables["SERVER_NAME"] +

Request.ServerVariables["SCRIPT_NAME"];

queryString = Request.ServerVariables["QUERY_STRING"];

if(!queryString.Equals(""))

redirect += "?" + queryString;

Response.Redirect(redirect);

}



To reverse that (go from https to http) just switch the first if statment to
on, and assign redirect to http instead of https

you can install the rsa ace client for IIS and it has an option for
force https. http://www.rsasecurity.com

-Adam
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top