|
 Friday, February 02, 2007
« Prototype/Proof of Concept code is not p... | Main | Simian Upgrade »

Force HTTPS on all requests, HttpModule

 Sometimes we have websites that are strictly HTTPS. No files whatsoever are served up through HTTP. We want our users to only access the HTTPS portion of our website but we dont want them to remember "https://" blah blah blah. Honestly, who really wants to type all of that anyway? No one. We want our users to type www.example.com and then we want the site to redirect to the local https site. I've found a few sites out there that have some very robust SSL transition handlers, this one especially , but it was just way too much for what I needed to do. I needed something simple. So I started thinking...

There are a couple ways to do this.

Force SSL through IIS.


But this wouldnt be the desired method because if the user typed in http://www.example.com/ they would be presented with a page that states this site requires SSL. We want it to redirect. Also, this means that if I move my site to another server I have to update configuration on the IIS site as well as any settings in my web.config. Mo-hassles, mo-problems, yuck.

Redirect Page
We could also leave one page not requiring SSL and execute the following code in Page_Load

// Redirect to HTTPS Site
Response.Redirect("https://www.example.com");

That works, but what if a user has a bookmark to a special part of the site such as: http://www.example.com/examplefolder/example.aspx  ??
This method would get bypassed and the user could easily access the page without SSL Encryption.

Http Module
This is the method I decided to go with.

The code implements the IHttpModule interface. Inside of the Init method we attach to the Application.BeginRequest event and then we let the handler decide what to do with the page. If the page is using a secure connection then we dont do anything with the request. If they are not using a secure connection, the code replaces the Uri scheme with "https" and then performs a redirect.

using System;
using System.Data;
using System.Configuration;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Web.UI.HtmlControls;

/// <summary>
/// Redirects a request to the HTTPS site.
/// </summary>
public class RedirectToHttpsModule : IHttpModule
{
#region Constants

private const string HTTPS = "https";

#endregion

#region IHttpModule Members

public void IHttpModule.Dispose()
{
// Nothing to dispose.
}

public void IHttpModule.Init(HttpApplication context)
{
context.BeginRequest += new EventHandler(context_BeginRequest);
}

void context_BeginRequest(object sender, EventArgs e)
{
HttpApplication application = sender as HttpApplication;
if (!application.Request.IsSecureConnection)
{
// Grabs the current scheme, http, and replaces with https and redirects.
application.Response.Redirect(application.Request.Url.ToString().Replace(application.Request.Url.Scheme, HTTPS));
}
}

#endregion
}



Implementation
Download the RedirectToHttpsModule.cs file below and place it into the App_Code directory located in the root of your website.
Then add the following to your system.web configuration section of your web.config file.

<httpModules>
<add type="RedirectToHttpsModule" name="RedirectToHttpsModule" />
</httpModules>

Now, each request made to your site will be pushed to https.


RedirectToHttpsModule.zip (.57 KB)
.NET | ASP.NET
#    Comments [0] |
Name
E-mail
(will show your gravatar icon)
Home page

Comment (HTML not allowed)  

Enter the code shown (prevents robots):
Live Comment Preview