server side redirect https => https NOT working

A

Axel

Hi

I am trying to redirect from some (login) pages from https to http by
using >>Response.Redirect<< but it seems to always end up on https pages
anyway. The only way I get the users back to http is by them clicking on
my (explicit) links but I want to drop them back to http as soon as they
are logged in.

The other way around (http to https) works fine. What could cause such a
behavior? Maybe some global switch in global.asa? Or cookies set by the
secure page? Its really weird.

I am considering doing the redirect client side but I don't want the
whole page to load and then to the redirect as its slooow. OTOH I am
scared of cutting the page short server site in case the client redirect
method fails (e.g. due to ignoring javascript or meta headers). Is there
a sure fire way to redirect to non-secure after successful login?

thanks in advance
Axel
 
A

Adrienne Boswell

Hi

I am trying to redirect from some (login) pages from https to http by
using >>Response.Redirect<< but it seems to always end up on https pages
anyway. The only way I get the users back to http is by them clicking on
my (explicit) links but I want to drop them back to http as soon as they
are logged in.

The other way around (http to https) works fine. What could cause such a
behavior? Maybe some global switch in global.asa? Or cookies set by the
secure page? Its really weird.

I am considering doing the redirect client side but I don't want the
whole page to load and then to the redirect as its slooow. OTOH I am
scared of cutting the page short server site in case the client redirect
method fails (e.g. due to ignoring javascript or meta headers). Is there
a sure fire way to redirect to non-secure after successful login?

thanks in advance
Axel

Here's what I do:

serverswitchon = "https://" & request.servervariables("SERVER_NAME")
serverswitchon = serverswitchon & left(request.servervariables
("PATH_INFO"),instrrev(request.servervariables("PATH_INFO"),"/"))
serverswitchoff = "http://" & request.servervariables("SERVER_NAME")
serverswitchoff = serverswitchoff & left(request.servervariables
("PATH_INFO"),instrrev(request.servervariables("PATH_INFO"),"/"))

response.redirect serverswitchoff & "pagename.asp" 'to http
response.redirect serverswitchon & "pagename.asp" 'to https
 
A

Axel

Hi - I am still struggling can not make a server side redirect happen
from https to http.

its not the generation of the URL that is the problem; it just simply
seems to ignore the fact that I am redirecting from secure to a plain
http page (the other way round always work). The user can click on http
links and follow but redirects or AddHeader always stays within https.

After reading
http://www.4guysfromrolla.com/aspfaqs/ShowFAQ.asp?FAQID=72 (ADPFAQs.com)
and
http://www.somacon.com/p145.php (Permanent Redirect with HTTP 301)

Here is my final code (using AddHeader instead of Redirect) - I also
made sure not have ANY output before I call the page. However, some
session variables are written (these are needed to identify the user
once he is logged on) - Buffering is turned on as per standard.

Function redirectNoSSL(sUrl)
Dim sNewURL
sNewURL = stripSSL(sUrl)
If Response.Buffer=True then
Response.Clear
Response.Buffer=False
End If

'Call Response.Redirect(sNewURL)
' instead of redirect!

Response.Status = "301 Moved Permanently"
Call Response.AddHeader ("Location", sNewURL)
End Function

(stripSSL works fine, and is supposed to with relative URLs; it just
recreates the current URL with http: instead of https, and appends the
(relative) target URL, see code below)

any other suggestions.

Axel

' example: Redirect stripSSL("../../images/head.gif")
Function stripSSL(sTarget)
Dim host, sUrl, i
stripSSL=""
if sTarget="" Then Exit Function

sUrl=Request.ServerVariables("URL")
host=Request.ServerVariables("server_name")

i=InStrRev(sUrl, "/")
stripSSL= "http://" & host & Left(sUrl,i) & sTarget
End Function
 
A

Adrienne Boswell

Gazing into my crystal ball I observed Axel <[email protected]> writing in

Please do not top post - it confuses the order of the conversation.
Top posting corrected. See below:
Hi - I am still struggling can not make a server side redirect happen
from https to http.

Did you try my method (watch wrapping)? I have no problems here doing
this - of course, this is on my local machine, with a local certificate.

This is what I did. I created a page - pagename0.asp that I put into my
url bar as https://localhost/pagename0.asp . That page comes up and
loops through the server variables - https is ON. There is a link to
pagename1.asp. Clicking on that (still in https), pagename1.asp
response.redirects to http://localhost/pagename3.asp. Pagename3.asp also
loops through the server variables, and it shows https is OFF.
 
A

Axel

Adrienne said:
Gazing into my crystal ball I observed Axel <[email protected]> writing in

Please do not top post - it confuses the order of the conversation.
Top posting corrected. See below:



Did you try my method (watch wrapping)? I have no problems here doing
this - of course, this is on my local machine, with a local certificate.

This is what I did. I created a page - pagename0.asp that I put into my
url bar as https://localhost/pagename0.asp . That page comes up and
loops through the server variables - https is ON. There is a link to
pagename1.asp. Clicking on that (still in https), pagename1.asp
response.redirects to http://localhost/pagename3.asp. Pagename3.asp also
loops through the server variables, and it shows https is OFF.

Hi Adrian,

I am not quite sure what the difference is from the Redirect point of
view. Like me, you are also creating a standard version of the URI
(http://localhost/page.asp) in the string serverswitchoff. Then you do a
response.redirect to it. Or is it the fact that in your example you 2
redirects (??).

In my case I do response.redirect http://path/somepage.asp
but still end up on https://path/somepage.asp
So its not the URI that is the problem but the redirect (from secure to
http). BTW it always works the other way round (http => https). Maybe it
is a restriction of our ISP (network solutions).


BTW I can not test this behavior on localhost as I do not have a local
certificate. I always have to upload.

thanks
Axel
 
A

Adrienne Boswell

Hi Adrian,

Hate to be picky, but it's _Adrienne_ not Adrian. I'm female.
I am not quite sure what the difference is from the Redirect point of
view. Like me, you are also creating a standard version of the URI
(http://localhost/page.asp) in the string serverswitchoff. Then you do
a response.redirect to it. Or is it the fact that in your example you
2 redirects (??).

Did you set it up EXACTLY like I said? This is something that I put in an
include and use as needed, eg:

<li><a href="<%=serverswitchon%>login.asp">Login</a></li>
In my case I do response.redirect http://path/somepage.asp
but still end up on https://path/somepage.asp
So its not the URI that is the problem but the redirect (from secure
to http). BTW it always works the other way round (http => https).
Maybe it is a restriction of our ISP (network solutions).

I doubt your ISP is Network Solutions. They are a registrar and hosting
provider, AFAIK, they are not an ISP.
BTW I can not test this behavior on localhost as I do not have a local
certificate. I always have to upload.

You can have a local certificate. It's absolutely necessary for testing,
just as in this case.

See [http://andyjarrett.co.uk/andy/blog/index.cfm/2004/10/1/Localhost-
SSL-testing-on-Win-XPIIS-5-for-free] for instructions on how to install a
certificate for localhost.
 
A

Axel

Adrienne said:
Hate to be picky, but it's _Adrienne_ not Adrian. I'm female.
oh sorry, oops. :)
Did you set it up EXACTLY like I said? This is something that I put in an
include and use as needed, eg:

<li><a href="<%=serverswitchon%>login.asp">Login</a></li>
<li><a href="<%=serverswitchoff%>logoff.asp">Log Off</a></li>

yes - but these are links, and they happen on the client. Of course the
client is free to follow any link be it http or https...

What I am doing is a submit from a secure page, which posts to itself,
then does some database processing, password check and set other client
variables such as last cart etc. and then redirects to the relevant
(http) shopping area (*). And that's what ends up in (https) of that URI
anyway (although the redirect corrects to the http address. Of course I
could put in an interim page "click here to continue" and then go to the
normal protocol page but its not very elegant.

(*)some special customers get to special portal areas via the same
login. Also if a session is timed out I redirect back to what the
customer did last after login.

I was also considering a redirect on the client but a lot of browsers
will react with security warnings...
I doubt your ISP is Network Solutions. They are a registrar and hosting
provider, AFAIK, they are not an ISP.

Yeah you're right. they're our host for the web site. what a stupid
mistake... my ISP is 3 ireland...
BTW I can not test this behavior on localhost as I do not have a local
certificate. I always have to upload.

You can have a local certificate. It's absolutely necessary for testing,
just as in this case.

See [http://andyjarrett.co.uk/andy/blog/index.cfm/2004/10/1/Localhost-
SSL-testing-on-Win-XPIIS-5-for-free] for instructions on how to install a
certificate for localhost.
that's cool to know - thank you very much!

Has anybody else any idea about the redirect? I still believe its the
hosts fault. Or could it be some option in global.asa?

Axel
 
A

Axel

You can have a local certificate. It's absolutely necessary for
testing, just as in this case.
See [http://andyjarrett.co.uk/andy/blog/index.cfm/2004/10/1/Localhost-
SSL-testing-on-Win-XPIIS-5-for-free] for instructions on how to
install a certificate for localhost.
that's cool to know - thank you very much!

I have installed the IIS resource kit on my machine and issued a
certificate for myself for testing. ANd, lo and behold, the redirect
from https to https works on my local machine. So its definitely the
host's fault. Now I only need to find out why the hell... :(

thanks for your help again!

Axel
 
A

Adrienne Boswell

You can have a local certificate. It's absolutely necessary for
testing, just as in this case.
See [http://andyjarrett.co.uk/andy/blog/index.cfm/2004/10/1/Localhost-
SSL-testing-on-Win-XPIIS-5-for-free] for instructions on how to
install a certificate for localhost.
that's cool to know - thank you very much!

I have installed the IIS resource kit on my machine and issued a
certificate for myself for testing. ANd, lo and behold, the redirect
from https to https works on my local machine. So its definitely the
host's fault. Now I only need to find out why the hell... :(

thanks for your help again!

I'm so glad to be of help. Let us know how it work out, in case any of
us have a similar problem.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,731
Messages
2,569,432
Members
44,832
Latest member
GlennSmall

Latest Threads

Top