ASP.NET MVC - HTML.BeginForm and SSL

2019-04-20 01:50发布

站内问答 / C#
1115 3 5

I am encountering an issue with what should be a simple logon form in ASP.NET MVC 2. Essentially my form looks a little something like this:

using (Html.BeginForm("LogOn", "Account", new { area = "Buyers" }, FormMethod.Post, new { ID = "buyersLogOnForm" }))

I have a RequiresHTTPS filter on the LogOn Action method but when it executes I receive the following message

The requested resource can only be accessed via SSL

At this point the only solution that worked was to pass in an extra action htmlattribute as follows:

 var actionURL = "https://"  + Request.Url.Host + Request.Url.PathAndQuery;   
 using (Html.BeginForm("LogOn", "Account", new { area = "Buyers" }, FormMethod.Post, new { ID = "buyersLogOnForm", @action = actionURL }))

While this works I wonder a) why i am seeing this issue in the first place and b) if there is a more straightforward way of posting to https from a http page?

[Edit]

I should have stated that the logon dropdown will be available on many public pages. I do not want all of my pages to be HTTPS. For instance, my hope page - which ANYONE can see - should not be HTTPS based. Essentially I need to specify the protocol in my form but have no idea how to do that, or if it is possible.

I would appreciate any advice/suggestions. Thanks in advance

JP

3条回答
仙女界的扛把子
2楼-- · 2019-04-20 02:01

Update: Review the comments below about the security vulnerabilities of this approach before considering the use of this code.

I found that a hybrid of JP and Malcolm's code examples worked. 

using (Html.BeginForm("Login", "Account", FormMethod.Post, new { @action = Url.Action("Login","Account",ViewContext.RouteData.Values,"https") }))

Still felt a bit hacky though so I created a custom BeginForm helper. The custom helper is cleaner and does not require https when running locally. 

public static MvcForm BeginFormHttps(this HtmlHelper htmlHelper, string actionName, string controllerName)
    {
        TagBuilder form = new TagBuilder("form");
        UrlHelper Url = new UrlHelper(htmlHelper.ViewContext.RequestContext);

        //convert to https when deployed
        string protocol = htmlHelper.ViewContext.HttpContext.Request.IsLocal == true? "http" : "https";

        string formAction = Url.Action(actionName,controllerName,htmlHelper.ViewContext.RouteData.Values,protocol);
        form.MergeAttribute("action", formAction);

        FormMethod method = FormMethod.Post;
        form.MergeAttribute("method", HtmlHelper.GetFormMethodString(method), true);

        htmlHelper.ViewContext.Writer.Write(form.ToString(TagRenderMode.StartTag));

        MvcForm mvcForm = new MvcForm(htmlHelper.ViewContext);

        return mvcForm;
    }

Example usage:

@using (Html.BeginFormHttps("Login", "Account"))
查看更多
0人赞 添加讨论(0) 举报
ゆ 、 Hurt°
3楼-- · 2019-04-20 02:21

You could use 

<form action =" <%= Url.Action(
"action",
"controller",
ViewContext.RouteData.Values,
"https"
) %>" method="post" >
查看更多
0人赞 添加讨论(0) 举报
放我归山
4楼-- · 2019-04-20 02:26

Use the [RequireHttps] attribute on both the action that renders the form and the one you are posting to.

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(5)