How to step out from https to http mode in asp.net

2019-03-31 05:10发布

站内问答 / 前沿技术
1252 1 4

I have made my Login page as Https enabled by adding the attribute [RequireSSL] on controller Action and it works fine. But after successful login it remains in https environment, however the page is non https page. Can anybody give me workaround how to step out from https to http mode? Any help in this regard will be greatly appreciated.

1条回答
Rolldiameter
2楼-- · 2019-03-31 05:47

You basically need to do the opposite, which is have a [DoesNotRequireSSL] attribute, which effectively does the opposite of the {RequireSSL] attribute, i.e., redirect to http protocol

public class DoesNotRequireSSL: ActionFilterAttribute 
    {
        public override void OnActionExecuting(ActionExecutingContext filterContext) 
        {
            var request = filterContext.HttpContext.Request;
            var response = filterContext.HttpContext.Response;

            if (request.IsSecureConnection && !request.IsLocal) 
            {
            string redirectUrl = request.Url.ToString().Replace("https:", "http:");
            response.Redirect(redirectUrl);
            }
            base.OnActionExecuting(filterContext);
        }
    }

Also, if you would like to ensure that multiple pages have this behaviour, you can set up a base controller, from which all your non-http controllers can inherit from so you dont have to worry about having to repeat yourself for every page which needs this.

|improve this answer
  • 1
    Thanks a lot for great help!!! It works. – user189928 Oct 15 '09 at 7:39
3

CAUTION: I had a similar question. One important thing I learnt was that your auth cookie will be sent over plain text after switching back to HTTP. See this.

CAUTION 2 : Don't forget to consider the dreaded You are about to be redirected to a connection that is not secure message

If you're writing a bank application you need to be real careful - and also realize the increasing number of users on public wifi connections that could well [esily] be funneled through some sneaky proxy. Probably a much bigger concern for mainstream sites but a concern for us all to be aware of.

See also my other question (no answers at time of writing - but then I only just asked it!)

|improve this answer
1

I know this is quite an old question, but many of the links presented above are dead and this code addresses it for ASP.NET MVC 5 by making some slight modifications to the RequireHttpsAttribute that is included in the System.Web.Mvc namespace:

[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method)]
public class ForbidHttpsAttribute : FilterAttribute, IAuthorizationFilter
{
    public virtual void OnAuthorization(AuthorizationContext filterContext)
    {
        if (filterContext == null)
        {
            throw new ArgumentNullException("filterContext");
        }

        if (filterContext.HttpContext.Request.IsSecureConnection)
        {
            HandleHttpsRequest(filterContext);
        }
    }

    protected virtual void HandleHttpsRequest(AuthorizationContext filterContext)
    {
        // only redirect for GET requests, otherwise the browser might not propagate the verb and request
        // body correctly.

        if (!String.Equals(filterContext.HttpContext.Request.HttpMethod, "GET", StringComparison.OrdinalIgnoreCase))
        {
            throw new InvalidOperationException("The requested resource can only be accessed *without* SSL.");
        }

        // redirect to HTTP version of page
        var url = "http://" + filterContext.HttpContext.Request.Url.Host + filterContext.HttpContext.Request.RawUrl;
        filterContext.Result = new RedirectResult(url);
    }
}

The code comes from this article, which briefly discusses some of the security concerns of forcing users to redirect from HTTPS to HTTP as well.

|improve this answer

Your Answer

By clicking "Post Your Answer", you agree to our terms of service, privacy policy and cookie policy

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(4)