I'm using MVC5 in some IIS servers on Amazon EC2, behind a Amazon Elastic Load Balancer. IIS servers runs only HTTP protocol, and ELB converts to HTTPS.
IIS server doesn't know if user is accessing thru HTTPS, so I have a rewrite rule checking "X-Forwarded-Proto" header to redirect user to HTTPS.
Unfortunately, when a login is required, MVC/IIS redirects user to a logon page in HTTP.
If I check my website in a tool like http://www.redirect-checker.org/ I get these type of results:
301 Moved Permanently (my URL rewrite rule)
302 Found (Login-required redirect -> why to HTTP?)
http://example.com/Account/Logon?ReturnUrl=%2F
301 Moved Permanently (again my URL rewrite rule)
https://example.com/Account/Logon?ReturnUrl=%2F
200 OK
Am I missing something?
Can I configure login-redirect to keep protocol, eliminating one of these redirects?
Better yet, can I somehow precede login-redirect rule and make it force HTTPS, in order to have only one redirect?
Thanks a lot!
Appendix: I checked that commands like "RedirectToAction" send address like "/Index2", not the whole "http://example.com/Index2". This is fine, so it keeps the user protocol.
Assuming you're using ASP.NET forms authentication, have a look in your
web.config
for yourAuthentication
configuration and addrequireSsl="true"
to the<forms>
element, as below: