ASP.NET MVC2 has the new RequireHttpsAttribute that you can use to decorate any action to force any non-secure request to come through HTTPS (SSL). It can be used as simply as this: [RequireHttps]
public ActionResult LogOn()
{
.....
} Now any request to the LogOn action that is not over HTTPS will automatically be redirected back to itself over HTTPS. This is very useful and easy to implement. Unfortunately though, once the scheme is changed to HTTPS, all following requests will also be under HTTPS, which is not necessarily what you want. In most cases you do not need all requests to your site to be secure but only certain ones such as the logon page or pages that accept credit card information. To handle this you can override the Controller.OnAuthorization method. From within this method, you can check to see if the RequireHttps attribute is set on the Controller Action by searching the Attributes collection of the ActionDescriptor object. If the RequireHttpsAttribute is not set AND the request is under SSL, then return a redirect result to the HTTP (non-SSL) url: public class ControllerBase : Controller
{protected override void OnAuthorization(AuthorizationContext filterContext)
{ //the RequireHttpsAttribute set on the Controller Action will handle redirecting to Https.
// We just need to handle any requests that are already under SSL but should not be.
if (Request.IsSecureConnection)
{
Boolean requireHttps = false;
requireHttps = filterContext.ActionDescriptor.GetCustomAttributes(typeof(RequireHttpsAttribute), false).Count() >= 1; Read more: Jeff Widmer's Blog
public ActionResult LogOn()
{
.....
} Now any request to the LogOn action that is not over HTTPS will automatically be redirected back to itself over HTTPS. This is very useful and easy to implement. Unfortunately though, once the scheme is changed to HTTPS, all following requests will also be under HTTPS, which is not necessarily what you want. In most cases you do not need all requests to your site to be secure but only certain ones such as the logon page or pages that accept credit card information. To handle this you can override the Controller.OnAuthorization method. From within this method, you can check to see if the RequireHttps attribute is set on the Controller Action by searching the Attributes collection of the ActionDescriptor object. If the RequireHttpsAttribute is not set AND the request is under SSL, then return a redirect result to the HTTP (non-SSL) url: public class ControllerBase : Controller
{protected override void OnAuthorization(AuthorizationContext filterContext)
{ //the RequireHttpsAttribute set on the Controller Action will handle redirecting to Https.
// We just need to handle any requests that are already under SSL but should not be.
if (Request.IsSecureConnection)
{
Boolean requireHttps = false;
requireHttps = filterContext.ActionDescriptor.GetCustomAttributes(typeof(RequireHttpsAttribute), false).Count() >= 1; Read more: Jeff Widmer's Blog
0 comments:
Post a Comment