Last post Apr 28, 2010 12:51 AM by levib
Apr 18, 2010 02:23 AM|JTBS|LINK
I could not find any existing forums question on this topic with clear MVC based solution. So I wanted to make sure this common requirement is implemented in MVC2 standard/recommended way:
- I have a ASP.NET MVC2 website hosted on Windows Azure
- I installed SSL and website works with HTTPS
- Website also works with HTTP
- This because I currently have 2 end points: HTTP and HTTPS and both work
- I don't want all my website (Controller/Actions) to be accessible through HTTP or HTTPS
- I would like to decide what Controller/Actions require HTTPS vs HTTP
- Ideally I am expecting soemthing like "[Authorize]" attribute on controller methods to take care of this.
I don't want to do custom coding, unless I am sure that there is no support around this already built into ASP.NET MVC2. I will be surprised if such common requirement is not already there in ASP.NET MVC2. But don't mind custom coding, if this support
is still not there?
So I am hoping that someone from ASP.NET MVC2 team can respond to this query.
Thanks for your help
Apr 18, 2010 03:24 AM|levib|LINK
The [RequireHttps] attribute can be used on a controller type or action method to say "this can be accessed only via SSL." Non-SSL requests to the controller or action will be redirected to the SSL version (if an HTTP GET) or rejected (if an HTTP POST).
You can override the RequireHttpsAttribute and change this behavior if you wish. There's no [RequireHttp] attribute built-in that does the opposite, but you could easily make your own if you desired.
There are also overloads of Html.ActionLink() which take a protocol parameter; you can explicitly specify "http" or "https" as the protocol. Here's
the MSDN documentation on one such overload. If you don't specify a protocol or if you call an overload which doesn't have a
protocol parameter, it's assumed you wanted the link to have the same protocol as the current request.
Apr 18, 2010 02:08 PM|JTBS|LINK
Thanks for propmt response.
I just came across RequiredHttps right after posting my question.
Reading your response helped as you already answered my other question about, how am I going to seamlessly control this behavior instead of exception etc. :)
Apr 28, 2010 12:21 AM|JTBS|LINK
Following are two scenarios I am not sure how to force using HTTPS:
1. Html.BeginForm helper method does not take protocol parameter
- I can write additional helper method OR use FORM directly
2. Web.config "Forms" authentication section, LoginURL
- Is there a way to specify HTTPS but still use "~" based path
Apr 28, 2010 12:51 AM|levib|LINK
Html.BeginForm helper method does not take protocol parameter
This is fine. You should almost never post from an HTTP page (that is, the <form> is sent in response to an HTTP request) to an HTTPS page. Doing so defeats the purpose of using HTTPS in the first place.
Is there a way to specify HTTPS but still use "~" based path
The same protocol as the original request will be used. So if your user visits https://example.com/authenticated-resource, the redirect to ~/login will also take place via the SSL-protected channel.
You could also put [RequireHttps] on your login action. This way, if the user hits ~/login via HTTP, he will be redirected to the HTTPS version of it.