Redirect to SSL for entire ASP.NET application

[Stephen Walch]

I wish to enforce SSL for an entire ASP.NET application (including the
custom authentication page and all other pages). To achieve this, I am
using the "Require SSL" on the Virtual Directory in IIS. This works, but
when users hit the non-SSL version of the page (http:/...) they get an ugly
error message. Is there a way to automatically redirect to the SSL version
of the page (https:/...) instead?

I have searched for information and tried a couple approaches that I could
not get to work on my system. What is the best way to do this on Windows
2003?

Thanks!
- Steve

 

[MSFT]

Hi Steve,

In the IIS configration, you set a customized web page for a particular
error in "Custom Errors". For example, the error when you access your web
page with "http" is 403.4. You can specify the custom web page for this
error.

Luke
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[Stephen Walch]

I do not want to specify a custom web page. I want to automatically
redirect each http: request to the corresponding https: request. Surely I
do not have to set up a mapping for each and every page?

 

[Brad]

Stephen, something like the following would work for you.

VB.Net code in Global.asax:

Sub Application_BeginRequest(ByVal sender As [Object], ByVal e As EventArgs)
If Request.IsSecureConnection = False
Response.Redirect(Request.Url.ToString.Replace("http:", "https:"))
End If
End Sub

One point that you probably already know: Once a client begins https with
your site then all request is that session should be https unless "http" is
hardcoded in somewhere or client manually mistypes a url.


Brad

 

[Stephen Walch]

This solved our problem. Thanks!

Stephen, something like the following would work for you.

VB.Net code in Global.asax:

Sub Application_BeginRequest(ByVal sender As [Object], ByVal e As EventArgs)
If Request.IsSecureConnection = False
Response.Redirect(Request.Url.ToString.Replace("http:", "https:"))
End If
End Sub

One point that you probably already know: Once a client begins https with
your site then all request is that session should be https unless "http" is
hardcoded in somewhere or client manually mistypes a url.


Brad

I do not want to specify a custom web page. I want to automatically
redirect each http: request to the corresponding https: request. Surely I
do not have to set up a mapping for each and every page?

 

[Guest]

include the following in the head section :

<%
If Request.ServerVariables("SERVER_PORT")=80 Then
Dim strSecureURL as string
strSecureURL = "https://"
strSecureURL = strSecureURL & Request.ServerVariables
("SERVER_NAME")
strSecureURL = strSecureURL & Request.ServerVariables
("URL")
Response.Redirect(strSecureURL)
End If
%>

this forces the page to load over SSL

Hope it helps.

Arno Broeders