Geek Answers Handbook

Why, after SSL is enabled with [RequireHttps] at the action level, does it stay enabled forever?

We want to use https only when strictly necessary. Why, after calling such an action, as shown below, does it remain on forever?

[RequireHttps] public ActionResult LogIn() { if(Request.IsAuthenticated) return RedirectToAction("Index", "Account"); return View(); }

What can we do to disable it when it is not needed?

Thanks.

+1
source share
2 answers

I use this action filter, which redirects back to http when the https action is complete:

 using System.Web.Mvc; using System; public class ExitHttpsIfNotRequiredAttribute : FilterAttribute, IAuthorizationFilter { public void OnAuthorization(AuthorizationContext filterContext) { // abort if it not a secure connection if (!filterContext.HttpContext.Request.IsSecureConnection) return; // abort if a [RequireHttps] attribute is applied to controller or action if (filterContext.ActionDescriptor.ControllerDescriptor.GetCustomAttributes(typeof(RequireHttpsAttribute), true).Length > 0) return; if (filterContext.ActionDescriptor.GetCustomAttributes(typeof(RequireHttpsAttribute), true).Length > 0) return; // abort if a [RetainHttps] attribute is applied to controller or action if (filterContext.ActionDescriptor.ControllerDescriptor.GetCustomAttributes(typeof(RetainHttpsAttribute), true).Length > 0) return; if (filterContext.ActionDescriptor.GetCustomAttributes(typeof(RetainHttpsAttribute), true).Length > 0) return; // abort if it not a GET request - we don't want to be redirecting on a form post if (!String.Equals(filterContext.HttpContext.Request.HttpMethod, "GET", StringComparison.OrdinalIgnoreCase)) return; // redirect to HTTP string url = "http://" + filterContext.HttpContext.Request.Url.Host + filterContext.HttpContext.Request.RawUrl; filterContext.Result = new RedirectResult(url); } }
+4
source

The [RequireHttps] attribute can be used by controller type or action method to say: "this can only be accessed through SSL." Requests without SSL for the controller or action will be redirected to the SSL version (if HTTP GET) or rejected (if HTTP POST). You can override RequireHttpsAttribute and change this behavior if you want. There is no built-in [RequireHttp] attribute that does the opposite, but you can easily make your own if you want.

There are also Html.ActionLink () overloads that accept a protocol parameter; you can explicitly specify "http" or "https" as the protocol. Here's the MSDN documentation on one such overload. If you do not specify a protocol or you cause an overload that does not have a protocol parameter, it is assumed that you want the link to have the same protocol as the current request.

The reason we don’t have the [RequireHttp] attribute in MVC is because it’s not really very profitable. This is not as interesting as [RequireHttps], and it encourages users to do wrong. For example, many websites register through SSL and redirect back to HTTP after you log in , which is absolutely wrong to do . Your login cookie is as secret as your username + password, and now you send it in plain text via wire. In addition, you already managed to shake hands and protect the channel (which is the main part of making HTTPS slower than HTTP) before the MVC pipeline starts, so [RequireHttp] will not make the current request or future requests much faster.

If you use utube, change your deployment to use HTTPS, not HTTP. If you disable the HTTPS HTTP protocol without proper extract (see http://msdn.microsoft.com/en-us/library/system.web.security .formsauthentication.signout.aspx ), your username and password will be wide open. This is not enough to call SignOut.

+11
source

More articles:


All Articles