I know the easy way to get to an SSL page in ASP.NET MVC - via the [RequireSSL] attribute but I'm a little confused to the best way to do the opposite.
I have many links on my site in a header bar and most of those links don't require SSL and I don't want to still use SSL.
The futures project makes it very easy to redirect automatically to an SSL page with [RequireSSL(Redirect=true)]
, but it doesnt seem to make it easy to get out of this context and automatically redirect back to http.
What am I missing?
You're not missing anything; there is no out-of-the-box functionality for this. You can easily create your own by taking the RequireSslAttribute source and modifying it.
This is well worth reading (epecially to realize the security implications of switching carelessly back to
http
fromhttps
:Partially SSL Secured Web Apps With ASP.NET - not MVC specific but relevant security concerns
Partial SSL Website with ASP.NET MVC - MVC friendly
It's quite a complicated issue overall. Still haven't found a true solution to everything I want to do, but thought these articles may help others.
Answer from a dupe question elsewhere:
How to step out from https to http mode in asp.net mvc.
CAUTION: If choosing to use this approach your auth cookie will be sent over plain text after switching back to HTTP, and can potentially be stolen and used by someone else. See this. In other words - if you were using this for a bank site you would need to make sure that switching to http would first log the user out.