I have a website that has some pages I want to require SSL and I have RequireSSL="true" so that the forms authentication cookie will only be read when accessing over https.
I have written a custom module so that if the user tries to access a part of the website that I want them to use SSL for but they are using http it rewrites their url and does a response.redirect to https.
This all works so far. My problem is that if the user is logged in, and accessing a part of the system that is within https and then the user rewrites their url from https to http ASP does not allow my module to rewrite the url as https but instead kicks
the user out to the login page, probably because that part of the website is protected by forms authentication and forms authentication cannot read the cookie once they have changed thier url to http:
Now I know it sounds like a laughable situation for the user to put themselves in but is there anyway for me to interrupt the page lifecycle BEFORE the forms authentication system has an opportunity to get involved so that I can redirect the user to the
https page before forms authentication redirects them to the login please?
This is actually what I am doing. If the connection is made via http I check the link, decide if it needs to be https and if it does I rewrite it (The only pages excluded from https are actually the landing page for potential customers etc.). Here is the
rewritting module: I will continue to test and play and if I find a solution I will post it here but if you can think of what is going wrong I would appreciate the help.
Public Sub Init(ByVal application As HttpApplication) Implements IHttpModule.Init
AddHandler application.BeginRequest, AddressOf Me.Context_BeginRequest
End Sub
''' <summary>
''' If user is accessing site over http test to see if page should be https and redirect.
''' If user is accessing over https ignore.
''' </summary>
''' <param name="source">HTTP Application</param>
''' <param name="e">NULL in this context.</param>
''' <remarks></remarks>
Private Sub Context_BeginRequest(ByVal source As Object, _
ByVal e As EventArgs)
Dim application As HttpApplication = CType(source, HttpApplication)
' Create HttpContext objects to access request and response properties.
Dim context As HttpContext = application.Context
Dim request As HttpRequest = context.Request
If Not request.IsSecureConnection Then
' Connection is over http.
If SslRequired(request.Url.AbsoluteUri) Then
' SSL is required for this URI, redirect.
Dim path As String = String.Format("https{0}", request.Url.AbsoluteUri.Substring(4))
context.Response.Redirect(path)
End If
End If
End Sub
''' <summary>
''' Take a request path a decifer if the connection should be made over SSL.
''' </summary>
''' <param name="Path">The complete request path</param>
''' <returns>True if SSL required.</returns>
''' <remarks></remarks>
Private Function SslRequired(ByVal Path As String) As Boolean
Return SslMap.CheckPath(Path)
End Function
As an update I have now also tried using Response.CompleteRequest to prevent any further processing and I have also enabled the applicationEnRequest section of the module and have rewritten the path created in BeginRequest back into the path to see if the
forms authentication module was overwritting after my module had got involved but alas, no this has not solved the problem.
It looks like I have messed up. If I change my Private Function SslRequired(ByVal Path As String) As Boolean to always return true it works, so it would appear I have done something wrong elsewhere.
UselessChimp
Member
210 Points
110 Posts
Forms Authentication Before Custom Handler Problem.
Jan 18, 2013 03:37 PM|LINK
I have a website that has some pages I want to require SSL and I have RequireSSL="true" so that the forms authentication cookie will only be read when accessing over https.
I have written a custom module so that if the user tries to access a part of the website that I want them to use SSL for but they are using http it rewrites their url and does a response.redirect to https.
This all works so far. My problem is that if the user is logged in, and accessing a part of the system that is within https and then the user rewrites their url from https to http ASP does not allow my module to rewrite the url as https but instead kicks the user out to the login page, probably because that part of the website is protected by forms authentication and forms authentication cannot read the cookie once they have changed thier url to http:
Now I know it sounds like a laughable situation for the user to put themselves in but is there anyway for me to interrupt the page lifecycle BEFORE the forms authentication system has an opportunity to get involved so that I can redirect the user to the https page before forms authentication redirects them to the login please?
BrockAllen
All-Star
27524 Points
4902 Posts
MVP
Re: Forms Authentication Before Custom Handler Problem.
Jan 18, 2013 04:20 PM|LINK
Where are you doing this URL rewriting? You could do your redirect in BeginRequest.
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/
UselessChimp
Member
210 Points
110 Posts
Re: Forms Authentication Before Custom Handler Problem.
Jan 19, 2013 12:35 PM|LINK
Brock,
This is actually what I am doing. If the connection is made via http I check the link, decide if it needs to be https and if it does I rewrite it (The only pages excluded from https are actually the landing page for potential customers etc.). Here is the rewritting module: I will continue to test and play and if I find a solution I will post it here but if you can think of what is going wrong I would appreciate the help.
Public Sub Init(ByVal application As HttpApplication) Implements IHttpModule.Init AddHandler application.BeginRequest, AddressOf Me.Context_BeginRequest End Sub ''' <summary> ''' If user is accessing site over http test to see if page should be https and redirect. ''' If user is accessing over https ignore. ''' </summary> ''' <param name="source">HTTP Application</param> ''' <param name="e">NULL in this context.</param> ''' <remarks></remarks> Private Sub Context_BeginRequest(ByVal source As Object, _ ByVal e As EventArgs) Dim application As HttpApplication = CType(source, HttpApplication) ' Create HttpContext objects to access request and response properties. Dim context As HttpContext = application.Context Dim request As HttpRequest = context.Request If Not request.IsSecureConnection Then ' Connection is over http. If SslRequired(request.Url.AbsoluteUri) Then ' SSL is required for this URI, redirect. Dim path As String = String.Format("https{0}", request.Url.AbsoluteUri.Substring(4)) context.Response.Redirect(path) End If End If End Sub ''' <summary> ''' Take a request path a decifer if the connection should be made over SSL. ''' </summary> ''' <param name="Path">The complete request path</param> ''' <returns>True if SSL required.</returns> ''' <remarks></remarks> Private Function SslRequired(ByVal Path As String) As Boolean Return SslMap.CheckPath(Path) End FunctionUselessChimp
Member
210 Points
110 Posts
Re: Forms Authentication Before Custom Handler Problem.
Jan 19, 2013 12:55 PM|LINK
As an update I have now also tried using Response.CompleteRequest to prevent any further processing and I have also enabled the applicationEnRequest section of the module and have rewritten the path created in BeginRequest back into the path to see if the forms authentication module was overwritting after my module had got involved but alas, no this has not solved the problem.
UselessChimp
Member
210 Points
110 Posts
Re: Forms Authentication Before Custom Handler Problem.
Jan 19, 2013 01:16 PM|LINK
It looks like I have messed up. If I change my Private Function SslRequired(ByVal Path As String) As Boolean to always return true it works, so it would appear I have done something wrong elsewhere.
molly_c
Participant
1590 Points
401 Posts
Re: Forms Authentication Before Custom Handler Problem.
Jan 24, 2013 05:13 AM|LINK
What have you change in Private Function SslRequired(ByVal Path As String) As Boolean function?
Molly
It's time to start living the life you are imagined.