I'm using SSL in my ASP.NET MVC 3 application. Once that the user enters in HTTPS mode, all the links in the page are generated with the HTTPS preface, but I'd like to "let the user leave" the HTTPS mode, and get back to HTTP when critical information exchange
has been already done.
Is there anyway in the Routes configuration or something to say something like: /Home/Index will be always HTTP
But it fails when I'm using a custom port. I mean, at the beginning it is:
http://127.0.0.1:5104/Home/Index but when the link is generated from HTTPS it looks:http://127.0.0.1/Home/Index and of course it doesn't work. is it maybe a bug?
Many web sites log in via SSL and redirect back to HTTP after you’re logged in,which is absolutely the wrong thing to do. Your login cookie is just as secret as your username + password, and now you’re sending it in clear-text across
the wire. Besides, you’ve already taken the time to perform the handshake and secure the channel (which is the bulk of what makes HTTPS slower than HTTP) before the MVC pipeline is run, so redirecting back to
HTTP after you’re logged in won’t make the current request or future requests much faster. For information on setting up
SSL on ASP.NET MVC, see my blog entry
Better, Faster, Easier SSL testing for ASP.NET MVC & WebForms.
Vale
Member
42 Points
42 Posts
Force HTTP generated links from HTTPS context
Jun 02, 2011 11:47 AM|LINK
Hi,
I'm using SSL in my ASP.NET MVC 3 application. Once that the user enters in HTTPS mode, all the links in the page are generated with the HTTPS preface, but I'd like to "let the user leave" the HTTPS mode, and get back to HTTP when critical information exchange has been already done.
Is there anyway in the Routes configuration or something to say something like: /Home/Index will be always HTTP
I've tried with:
<a href="@Url.Action("Index","Home",null,"http")">Normal</a>But it fails when I'm using a custom port. I mean, at the beginning it is: http://127.0.0.1:5104/Home/Index but when the link is generated from HTTPS it looks:http://127.0.0.1/Home/Index and of course it doesn't work. is it maybe a bug?
Regards.
chohmann
Star
9385 Points
1644 Posts
Re: Force HTTP generated links from HTTPS context
Jun 02, 2011 08:56 PM|LINK
Try using this ActionLink overlaod that accpets a protocol paramter:
http://msdn.microsoft.com/en-us/library/dd460522.aspx
Forest Cheng...
Star
8370 Points
819 Posts
Re: Force HTTP generated links from HTTPS context
Jun 07, 2011 10:00 AM|LINK
Hi Vale,
Try to write a custom Html helper to generate a link according to the protocol pamater(used to specify which protocol your want to use). Here a look at this link: http://www.asp.net/mvc/tutorials/creating-custom-html-helpers-cs
Hope this helpful,
Forest Cheng
If you have any feedback about my replies,please contact msdnmg@microsoft.com.
Microsoft One Code Framework
Vale
Member
42 Points
42 Posts
Re: Force HTTP generated links from HTTPS context
Jun 27, 2011 11:47 AM|LINK
wow thanks a lot Cheng!
ricka6
All-Star
15070 Points
2272 Posts
Microsoft
Moderator
Re: Force HTTP generated links from HTTPS context
Jun 27, 2011 06:07 PM|LINK
See my blog post http://blogs.msdn.com/b/rickandy/archive/2011/05/02/securing-your-asp-net-mvc-3-application.aspx
Many web sites log in via SSL and redirect back to HTTP after you’re logged in, which is absolutely the wrong thing to do. Your login cookie is just as secret as your username + password, and now you’re sending it in clear-text across the wire. Besides, you’ve already taken the time to perform the handshake and secure the channel (which is the bulk of what makes HTTPS slower than HTTP) before the MVC pipeline is run, so redirecting back to HTTP after you’re logged in won’t make the current request or future requests much faster. For information on setting up SSL on ASP.NET MVC, see my blog entry Better, Faster, Easier SSL testing for ASP.NET MVC & WebForms.