ASP MVC 3 RequireHttps attribute change all links to https

Asked 15/3, 2012 at 12:26 Answered 16/3, 2012 at 0:21

Solved asp.net-mvc hyperlink actionlink requirehttps

I have an ASP MVC 3 website that has a Feedback form and should require SSL.

Now, I have an action called Feedback inside a controller called 'ContactUs' that is responsible for viewing and processing the feedback.

When I used the [RequireHttps] attribute on that action, it works nice and it changes the URL to "https". However, I noticed that all the links inside my page are now pointing to "https"! As if this attribute had forced the routing engine to apply the same to all links!!!

Of course, the SSL is only required for this single action and all the rest need to have normal http.

Could anyone tell me how to solve this?

Mcvey answered 15/3, 2012 at 12:26 Comment(4)

Why do your other pages "require" http only? Does it really matter if they're https or not, so long as the pages that DO require https are encrypted? – Griffon 16/3, 2012 at 0:29

@Mystere Man: https severely reduces web server performance. On certain configurations it might be a big deal. – Aloke 3/7, 2012 at 2:45

@zespri - In days gone by, https was a significant load. Today, I guarantee you that the servers do more work building the pages than encrypting it. You're saying you'd rather make your site insecure than deal with a slight load increase. Ricks point below is that you have already created the load by requiring the https login, and future requests won't need much extra processing. – Griffon 3/7, 2012 at 4:48

I'm saying that I'd rather not add completely unnecessary and unwarranted overhead. Public portion of the site that does not contain any user specific data simply does not require https. There is no point of adding this overhead. Also https adds overhead each request, since you have to encrypt/decrypt data each request. – Aloke 3/7, 2012 at 4:56

In your case [RequireHttp] attribute might be OK if you clear out the login cookie - or you'll be sending it in clear-text across the wire. It might be more work than it's worth to avoid the slight cost of further HTTPS calls. SO is all about recycling questions and other users reading your question might think it's OK to drop down to HTTP after login, when it's usually the wrong thing to do.

The [RequireHttps] attribute can be used on a controller type or action method to say "this can be accessed only via SSL." Non-SSL requests to the controller or action will be redirected to the SSL version (if an HTTP GET) or rejected (if an HTTP POST). You can override the RequireHttpsAttribute and change this behavior if you wish. There's no [RequireHttp] attribute built-in that does the opposite, but you could easily make your own if you desired.

There are also overloads of Html.ActionLink() which take a protocol parameter; you can explicitly specify "http" or "https" as the protocol. Here's the MSDN documentation on one such overload. If you don't specify a protocol or if you call an overload which doesn't have a protocol parameter, it's assumed you wanted the link to have the same protocol as the current request.

The reason we don't have a [RequireHttp] attribute in MVC is that there’s not really much benefit to it. It’s not as interesting as [RequireHttps], and it encourages users to do the wrong thing. For example, many web sites log in via SSL and redirect back to HTTP after you’re logged in, which is absolutely the wrong thing to do. Your login cookie is just as secret as your username + password, and now you’re sending it in clear-text across the wire. Besides, you’ve already taken the time to perform the handshake and secure the channel (which is the bulk of what makes HTTPS slower than HTTP) before the MVC pipeline is run, so [RequireHttp] won’t make the current request or future requests much faster.

Mcmahon answered 16/3, 2012 at 0:21 Comment(2)

Thanks for your reply. I think I should use LinkExtensions.ActionLink, but I don't know how to properly use it. can you explain it to me plz? – Mcvey 8/4, 2012 at 10:34

might be a basic question , as read here and here post request also get encrypted, but like to know weather i should decorate RequireHttps in post also ? – Longish 22/2, 2016 at 16:24

You can create another custom filter attribute to move back to http. Try solution from this question... Why once SSL is enabled with [RequireHttps] at action level, it remains enabled forever?

Fusain answered 15/3, 2012 at 13:23 Comment(1)

Your login cookie is just as secret as your username + password, and now you’re sending it in cleartext across the wire. Besides, you’ve already taken the time to perform the handshake and secure the channel (which is the bulk of what makes HTTPS slower than HTTP) before the MVC pipeline is run, so [RequireHttp] won’t make the current request or future requests much faster. – Mcmahon 16/3, 2012 at 0:55

Recommended topics

Hot tags